WO2016206393A1 - Method and apparatus for managing application and method and apparatus for implementing read-write operation - Google Patents

Method and apparatus for managing application and method and apparatus for implementing read-write operation Download PDF

Info

Publication number
WO2016206393A1
WO2016206393A1 PCT/CN2016/074131 CN2016074131W WO2016206393A1 WO 2016206393 A1 WO2016206393 A1 WO 2016206393A1 CN 2016074131 W CN2016074131 W CN 2016074131W WO 2016206393 A1 WO2016206393 A1 WO 2016206393A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
application
file
interface
security
Prior art date
Application number
PCT/CN2016/074131
Other languages
French (fr)
Chinese (zh)
Inventor
张金昕
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016206393A1 publication Critical patent/WO2016206393A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Definitions

  • This document relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for managing applications, and a method and apparatus for implementing read and write operations.
  • enterprise mobile applications occupy an increasingly important position in the daily work of enterprises, and the demand for mobile office is becoming more and more common.
  • Enterprise mobile applications are different from ordinary mobile applications (app, Application).
  • the diversification and individualization requirements of enterprise applications are strong, such as access control of core systems, and enterprise users tend to solve the problem of full value chain.
  • Program Since there is no unified standard planning at the beginning of enterprise mobile application development, many enterprises have a large number of isolated mobile applications. How to flexibly and conveniently add new capabilities to mobile applications to adapt to the changing needs of enterprises becomes more difficult.
  • Embodiments of the present invention provide a method and apparatus for managing an application, and a method and apparatus for implementing a read/write operation, which can improve the security of an application in a mobile terminal.
  • An embodiment of the present invention provides a method for managing an application, including:
  • the packager performs the first processing on the application installation package to obtain the target code
  • the packager performs a second processing on the target code to obtain an installation package of the security application, wherein a code for implementing the data security transmission function is added to the installation package of the security application.
  • the packager performs the first processing on the installation package of the application to obtain the target code, including:
  • the packager unpacks, decompiles, and disassembles the installation package of the application to obtain the target code.
  • the packager performs a second process on the target code to obtain an installation package of the security application, including:
  • the packer determines a location of the first interface code in the target code; wherein the first interface code comprises: an input/output I/O operation of the application in the target code is invoked in an operating system of the mobile terminal Code
  • the packager replaces the first interface code with a second interface code invoked in a pre-installed secure operation platform in the mobile terminal according to the determined location, wherein the first interface code is replaced with a pre-stored I/O operation of the application;
  • the second interface code includes the code for implementing a data secure transmission function;
  • the packager replaces the first interface code with the target code after the second interface code to link, compile, and package the installation package of the security application.
  • replacing the first interface code with the second interface code comprises: replacing the first interface code with the second interface code by a code injection manner and/or a function hook manner.
  • the code for implementing the data secure transmission function includes an encryption code for encrypting the output unencrypted information and/or a decryption code for decrypting the received encrypted information.
  • the code for implementing the data security transmission function further includes: code for processing the I/O operation by using the secure operation platform.
  • the embodiment of the invention further provides a method for implementing a read and write operation, comprising:
  • the mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and performs a read operation on the decrypted file.
  • it also includes:
  • the mobile terminal receives an instruction from the user to write a file of the security application, and the mobile terminal encrypts the file of the written security application and performs a write operation on the encrypted file.
  • the writing of the encrypted file includes: writing the encrypted file by using a secure running platform.
  • performing the reading operation on the decrypted file includes: performing a read operation on the decrypted file by using a secure running platform.
  • An embodiment of the present invention further provides an apparatus for managing an application, including:
  • a first processing module configured to perform a first processing on the installation package of the application to obtain a target code
  • a second processing module configured to perform a second processing on the target code to obtain an installation package of the security application, wherein, after the second processing, the installation package of the security application includes code for implementing a data security transmission function.
  • the second processing module is configured to
  • the first interface code comprises: a code invoked in an operating system of the mobile terminal by an input/output I/O operation of the target code;
  • the interface code includes the code for implementing a data secure transmission function
  • the embodiment of the invention further provides a mobile terminal, including:
  • a receiving module configured to receive an instruction from a user to read a file of the security application
  • the encryption and decryption module is configured to decrypt the file of the read security application
  • the read/write operation module is set to read the decrypted file.
  • the receiving module is further configured to:
  • the encryption and decryption module is further configured to:
  • the read/write operation module is further configured to: write the encrypted file.
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for use in any of the methods described above.
  • the embodiment provided by the present invention obtains the target code by performing the first processing on the installation package of the application, and then performs the second processing on the target code to obtain the installation package of the security application, because the installation package of the security application contains data security for data security.
  • the code of the transmission function so that when the application runs on the mobile terminal, the data of the security application cannot be stolen by the third party, thereby improving the security of the application in the mobile terminal.
  • FIG. 1 is a flowchart of a method for managing an application according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for implementing a read/write operation according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a method for managing an application according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a method for a mobile terminal to control a security application through an enterprise security container according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of an apparatus for managing an application according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a mobile terminal according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for managing an application according to an embodiment of the present invention. The method shown in Figure 1 includes:
  • Step 101 The packager performs the first processing on the installation package of the application to obtain the target code.
  • the object code includes the object code of one or more files.
  • the application may be a text application, a Word application, an Excel application, or the like.
  • the packager performs the first processing on the application installation package to obtain the target code, including:
  • the packager unpacks, decompiles, and disassembles the application's installation package to get the target code.
  • Step 102 The packager performs a second process on the target code to obtain an installation package of the security application, where, after the second process, the installation package of the security application includes code for implementing a data security transmission function.
  • the packager performs the second processing on the target code to obtain the installation package of the security application, including:
  • the packager determines a location of the first interface code in the target code; wherein the first interface code comprises: an input/output (I/O, Input/Output) operation of the target code in the operating system of the mobile terminal Code called in ;
  • the packager replaces the first interface code with the second interface code invoked in the secure operation platform pre-installed in the mobile terminal by the pre-stored I/O operation of the application according to the determined location;
  • the packager replaces the first interface code with the target code after the second interface code to link, compile, and package the installation package of the security application.
  • the second interface code includes code for implementing a data secure transmission function.
  • the operating system of the mobile terminal is often open, in order to avoid application in the operation By being attacked by malware in the system, by running the security application on a secure running platform, the possibility of being attacked can be effectively reduced.
  • the I/O interface code configured in the initial stage of the application is configured for the operating system of the mobile terminal, in order to ensure that the security application can be run on the secure running platform, the configuration of the I/O interface needs to be changed, according to the target.
  • the code can effectively obtain the position of the first interface code called by the I/O operation in the operating system of the mobile terminal in the target code, and then replace the first interface code in the target code with the second interface code.
  • the code for implementing the data secure transmission function includes an encryption code for encrypting the output unencrypted information, and/or a decryption code for decrypting the received encrypted information.
  • the code for implementing the secure transfer function of data may also include code for handling I/O operations using a secure runtime platform.
  • the output data may be encrypted data, and since the output data is encrypted, even if the output data is stolen by a third-party application, it cannot be used by a third party application. Cracking, thus ensuring the security of the data sent by the application, and improving the security of the application; if the installation package of the security application includes the decryption code, it can receive the encrypted data, and since the local decryption function can decrypt the encrypted data to obtain the plaintext, The third party is able to decrypt the plaintext, thus ensuring the security of the data received by the application and improving the security of the application.
  • the second interface code may replace the first interface code in the target code by means of code injection and/or function hook.
  • code injecting mode and the function hooking method in the related art may be applied to the embodiment of the present invention, and details are not described herein again.
  • an embodiment of the present invention further provides a method for implementing a read/write operation, including:
  • Step 200 The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and performs a read operation on the decrypted file.
  • the instruction to read the file of the secure application may be an instruction to open the file, an instruction to slide the file, or the like.
  • the mobile terminal When the mobile terminal receives an instruction from the user to write a file of the secure application, the file of the written secure application is encrypted, and the encrypted file is written.
  • the read operation and/or the write operation can be performed through the secure operation platform, so that the mobile terminal needs to be able to read and/or write the file of the security application, and the security operation platform needs to be installed in the mobile terminal in advance, so that the security application is opened. It will then run on a secure operating platform.
  • the secure operation platform is obtained by:
  • the application with the information isolation function is run to obtain the secure operation platform.
  • the secure operation platform can be developed by itself or by installing an application with information isolation function.
  • the method provided by the embodiment of the present invention obtains the target code by performing the first processing on the installation package of the application, and then obtains the installation package of the security application by performing the second processing on the target code, because the installation package of the security application is included for implementation.
  • the code information of the data security transmission function so that after the installation package of the application is installed on the mobile terminal, the data of the security application cannot be stolen by the third party, thereby improving the security of the application in the mobile terminal.
  • FIG. 3 is a schematic diagram of a method for managing an application according to an embodiment of the present invention.
  • the method shown in Figure 3 includes:
  • Step 301 The packager performs the first processing on the installation package of the application to obtain the target code.
  • the mobile application is unpacked, decompiled, and disassembled using the APK decompile tool (Apktool) to obtain the smali code (ie, the target code).
  • APK decompile tool Apktool
  • Step 302 The packager determines a location of the first interface code called in the target code of the I/O operation applied in the target code in the operating system of the mobile terminal.
  • the first interface code is retrieved in the above smali code; the first interface to be retrieved The location of the code in the target code is recorded for use.
  • the location of the first interface code in the target code may be one or more. At least two of input and output.
  • Step 303 The packager replaces the first interface code in the object code with the second interface code.
  • the second interface code includes an encryption code, and/or a decryption code, and a code that processes the I/O operation using the secure container.
  • the second interface code is injected into the location of the corresponding first interface code in the target code.
  • Step 304 The packager modifies the target code of the AndroidManifest.xml file, plus the secure container identifier.
  • the security application is only displayed on the secure desktop corresponding to the secure container, but not on the normal desktop.
  • Step 305 The packager regenerates the installation package of the security application.
  • the packager can use the Android resource packaging tool (aapt, Android Asset Packaging Tool) to replace the first interface code with the target code after the second interface code for linking, compiling, packaging with apktool, and regenerating the security application. Installation package.
  • Android resource packaging tool aapt, Android Asset Packaging Tool
  • Step 306 The packager re-signs the mobile application.
  • the packager can re-sign the mobile app using the signature tool signapk and the default signature file, or a user-specified signature file.
  • the first interface code in the object code can be replaced with the second interface code by a code injection and a function hook method. It is modified to automatically encrypt unencrypted files and automatically decrypt encrypted files when using the application for file reading and writing and editing. Once the file leaves the usage environment, the third-party application cannot be opened because it cannot obtain the service of automatic decryption, thereby protecting the content of the file.
  • the first interface code in the object code is replaced with the second interface code by using code injection technology or API hook (HOOK) technology, so that it can accept the file encryption and decryption capability, and the application file operation interface is
  • the original calling system interface was replaced with a pointer to the Enterprise Security container.
  • the first application is implemented by enabling the controlled application to accept enterprise security container management.
  • FIG. 4 is a schematic diagram of a method for a mobile terminal to control a security application through an enterprise security container according to an embodiment of the present invention.
  • the method shown in Figure 4 includes:
  • Step 401 The mobile terminal acquires an installation package of the enterprise security container and installs it.
  • Step 402 The mobile terminal acquires an installation package of the security application and installs it.
  • Step 403 The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and sends the decrypted file to the enterprise security container through the Android IBinder interface, and the enterprise security container pairs The decrypted file is read.
  • the mobile terminal When the mobile terminal receives an instruction from the user to write a file of the security application, the file of the written security application is encrypted, and the encrypted file is sent to the enterprise security container through the Android IBinder interface, and the enterprise security container is encrypted. The file is written.
  • the enterprise security container management refers to installing the enterprise security container application on the mobile phone, replacing the interface for reading and writing the system in the original application with the interface for reading and writing by the secure container, and writing the encrypted file into the sandbox isolation area of the enterprise security container. .
  • the quarantine sandbox provides a layer of protection that allows your software program to be protected from system modifications. Malware or Trojans, in addition to trying to break through the sandboxed virtual system and restricted permissions, also have security applications. Decode. Encryption of the security container's quarantine sandbox and security application files creates a solid defense against the Trojan. Play the highest defenses.
  • the user space API intercepts, the security application runs only in the quarantine sandbox of the enterprise security container, the quarantine sandbox provides a copy of the system environment and reduces some of the permissions, all operations of the program in the sandbox are new Adding files, modifying files, registry, etc. are not really modified to the system, but instead changed to a copy, this copy is invisible to the normal program of the real system. There is no change to the system, so the Trojan can't survive. Disappears as the sandbox is cleared. The second protection is achieved by the isolation sandbox of the safety container.
  • the new application can be re-developed without providing a new application, and the original enterprise application can be conveniently and flexibly added with the ability of reading and decrypting and decrypting files for the enterprise mobile application, and the source code of the original application is not needed.
  • File read and write encryption is achieved by simple security hardening, not used
  • double-layer protection is provided by the enterprise security container for file operations in the sandbox quarantine area, which can reduce the possibility that the application is modified.
  • malware or trojans cannot be cracked by the file encryption of the mobile application.
  • Encryption of the security container's isolation sandbox and security-enhanced files creates a solid defensive surface for the virus Trojan. Play the highest defenses.
  • the invention provides a system for securing the operation of mobile application files. File encryption and sandboxed dual protection.
  • the system is simple to operate, and only needs to perform security hardening of file encryption for the controlled application, and the enterprise security container can be installed on the mobile phone.
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
  • FIG. 5 is a schematic structural diagram of an apparatus for managing an application according to an embodiment of the present invention.
  • the device shown in Figure 5 includes:
  • a first processing module configured to perform a first processing on the installation package of the application to obtain a target code
  • a second processing module configured to perform a second processing on the target code to obtain an installation package of the security application, wherein, after the second processing, the installation package of the security application includes code for implementing a data security transmission function.
  • the second processing module is configured to
  • the first interface code comprises: a code invoked in an operating system of the mobile terminal by an input/output I/O operation of the target code;
  • the interface code includes the code for implementing a data secure transmission function
  • the first interface code is replaced with the target code after the second interface code, and the installation package of the security application is obtained by linking, compiling, and packaging.
  • an embodiment of the present invention further provides a mobile terminal, including:
  • a receiving module configured to receive an instruction from a user to read a file of the security application
  • the encryption and decryption module is configured to decrypt the file of the read security application
  • the read/write operation module is set to read the decrypted file.
  • the receiving module is further configured to:
  • the encryption and decryption module is further configured to:
  • the read/write operation module is further configured to: write the encrypted file.
  • a computer program flow which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
  • all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by an integrated circuit to implement its corresponding function. It can also be implemented in the form of a software function module, for example, by a processor executing a program/instruction in the memory and memory to implement its corresponding function.
  • the invention is not limited to any specific form of combination of hardware and software.
  • the embodiment of the invention improves the security of the application in the mobile terminal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Telephone Function (AREA)

Abstract

A method and apparatus for managing an application, comprising: a packager performing first processing on an installation package of an application, so as to obtain a target code; and the packager performing second processing on the target code, so as to obtain an installation package of a secure application, wherein a code for implementing a secure data transmission function is added in the installation package of the secure application.

Description

管理应用的方法和装置、实现读写操作的方法和装置Method and device for managing application, method and device for implementing read and write operations 技术领域Technical field
本文涉及但不限于通信领域,尤其涉及一种管理应用的方法和装置、实现读写操作的方法和装置。This document relates to, but is not limited to, the field of communications, and in particular, to a method and apparatus for managing applications, and a method and apparatus for implementing read and write operations.
背景技术Background technique
目前企业的信息技术(IT,Information Technology)建设向移动终端发展,企业移动应用在企业的日常工作中占据越来越重要的位置,其中移动办公等需求越来越普遍。企业移动应用不同于普通的手机应用程序(app,Application),首先企业应用的多样化和个性化需求较强,比如对于核心系统的访问控制等,另外企业用户更加的趋向于全价值链的解决方案。由于企业移动应用发展之初没有统一标准的规划,很多的企业存在大量孤立遗留的移动应用,怎样灵活方便的为移动应用增加新的能力以适应企业多变的需求变的更加困难。At present, the development of enterprise information technology (IT, Information Technology) to mobile terminals, enterprise mobile applications occupy an increasingly important position in the daily work of enterprises, and the demand for mobile office is becoming more and more common. Enterprise mobile applications are different from ordinary mobile applications (app, Application). Firstly, the diversification and individualization requirements of enterprise applications are strong, such as access control of core systems, and enterprise users tend to solve the problem of full value chain. Program. Since there is no unified standard planning at the beginning of enterprise mobile application development, many enterprises have a large number of isolated mobile applications. How to flexibly and conveniently add new capabilities to mobile applications to adapt to the changing needs of enterprises becomes more difficult.
而随着安卓(Andriod)用户的增多,针对android系统的恶意软件越来越多。安全是Android进入企业很难的主要原因。而最主要的问题则是隐私泄漏,如:在企业应用中操作和读取的文件内容,一些重要的公司信息,都有可能被恶意软件盗取。With the increase of Android (Andriod) users, more and more malware for Android. Security is the main reason why Android is difficult to enter the enterprise. The main problem is privacy leakage, such as the contents of files that are manipulated and read in enterprise applications, and some important company information may be stolen by malware.
目前有很多针对于Android的隐私泄漏的侦测,包括分析Android安装包(APK,Android Package)的静态分析工具和动态分析工具。静态分析主要就是反编译APK,分析反编译之后的代码。动态分析主要就是让程序运行起来,获取程序运行过程中产生的应用程序编程接口(API,Application Programming Interface)调用,从而获取其行为信息。虽然目前有很多分析工具,可以分析和检测恶意的移动软件,但是目前还没有一套成熟的方案来保障移动办公的安全性。There are a lot of detections for privacy leaks for Android, including static analysis tools and dynamic analysis tools for analyzing Android installation packages (APK, Android Package). Static analysis is mainly to decompile the APK and analyze the code after decompilation. Dynamic analysis is mainly to let the program run and obtain the application programming interface (API) call generated during the running of the program to obtain its behavior information. Although there are many analysis tools available to analyze and detect malicious mobile software, there is currently no mature solution to ensure the security of mobile office.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求 的保护范围。The following is an overview of the topics detailed in this document. This summary is not intended to limit the claims The scope of protection.
本发明实施例提供一种管理应用的方法和装置、实现读写操作的方法和装置,能够提高移动终端中应用的安全性。Embodiments of the present invention provide a method and apparatus for managing an application, and a method and apparatus for implementing a read/write operation, which can improve the security of an application in a mobile terminal.
本发明实施例提供了一种管理应用的方法,包括:An embodiment of the present invention provides a method for managing an application, including:
打包器对应用的安装包进行第一处理得到目标代码;The packager performs the first processing on the application installation package to obtain the target code;
打包器对所述目标代码进行第二处理得到安全应用的安装包,其中,所述安全应用的安装包中增加有用于实现数据安全传输功能的代码。The packager performs a second processing on the target code to obtain an installation package of the security application, wherein a code for implementing the data security transmission function is added to the installation package of the security application.
可选的,所述打包器对应用的安装包进行第一处理得到目标代码包括:Optionally, the packager performs the first processing on the installation package of the application to obtain the target code, including:
所述打包器对所述应用的安装包进行解包、反编译、反汇编得到所述目标代码。The packager unpacks, decompiles, and disassembles the installation package of the application to obtain the target code.
可选的,所述打包器对所述目标代码进行第二处理得到安全应用的安装包包括:Optionally, the packager performs a second process on the target code to obtain an installation package of the security application, including:
所述打包器确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:所述目标代码中应用的输入/输出I/O操作在移动终端的操作系统中调用的代码;The packer determines a location of the first interface code in the target code; wherein the first interface code comprises: an input/output I/O operation of the application in the target code is invoked in an operating system of the mobile terminal Code
所述打包器根据确定出的位置,将所述第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;其中,所述第二接口代码包括所述用于实现数据安全传输功能的代码;The packager replaces the first interface code with a second interface code invoked in a pre-installed secure operation platform in the mobile terminal according to the determined location, wherein the first interface code is replaced with a pre-stored I/O operation of the application; The second interface code includes the code for implementing a data secure transmission function;
所述打包器将所述第一接口代码替换为所述第二接口代码后的目标代码进行链接、编译、打包得到所述安全应用的安装包。The packager replaces the first interface code with the target code after the second interface code to link, compile, and package the installation package of the security application.
可选的,将所述第一接口代码替换为第二接口代码包括:通过代码注入方式和/或函数钩子方式将所述第一接口代码替换为所述第二接口代码。Optionally, replacing the first interface code with the second interface code comprises: replacing the first interface code with the second interface code by a code injection manner and/or a function hook manner.
可选的,所述用于实现数据安全传输功能的代码包括用于对输出的未加密的信息进行加密的加密代码和/或对接收的加密的信息进行解密的解密代码。 Optionally, the code for implementing the data secure transmission function includes an encryption code for encrypting the output unencrypted information and/or a decryption code for decrypting the received encrypted information.
可选的,所述用于实现数据安全传输功能的代码还包括:使用安全运行平台处理I/O操作的代码。Optionally, the code for implementing the data security transmission function further includes: code for processing the I/O operation by using the secure operation platform.
本发明实施例还提出了一种实现读写操作的方法,包括:The embodiment of the invention further provides a method for implementing a read and write operation, comprising:
移动终端接收到来自用户的读取安全应用的文件的指令,对读取的安全应用的文件进行解密,对解密后的文件进行读操作。The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and performs a read operation on the decrypted file.
可选的,还包括:Optionally, it also includes:
所述移动终端接收到来自所述用户的写入安全应用的文件的指令,所述移动终端对写入的安全应用的文件进行加密,对加密后的文件进行写操作。The mobile terminal receives an instruction from the user to write a file of the security application, and the mobile terminal encrypts the file of the written security application and performs a write operation on the encrypted file.
可选的,对加密后的文件进行写操作包括:通过安全运行平台对所述加密后的文件写操作。Optionally, the writing of the encrypted file includes: writing the encrypted file by using a secure running platform.
可选的,对解密后的文件进行读操作包括:通过安全运行平台对所述解密后的文件进行读操作。Optionally, performing the reading operation on the decrypted file includes: performing a read operation on the decrypted file by using a secure running platform.
本发明实施例还提出了一种管理应用的装置,包括:An embodiment of the present invention further provides an apparatus for managing an application, including:
第一处理模块,设置为对应用的安装包进行第一处理得到目标代码;a first processing module, configured to perform a first processing on the installation package of the application to obtain a target code;
第二处理模块,设置为对所述目标代码进行第二处理得到安全应用的安装包,其中,经过第二处理,所述安全应用的安装包包括用于实现数据安全传输功能的代码。And a second processing module, configured to perform a second processing on the target code to obtain an installation package of the security application, wherein, after the second processing, the installation package of the security application includes code for implementing a data security transmission function.
可选的,所述第二处理模块是设置为,Optionally, the second processing module is configured to
确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:所述目标代码中应用的输入/输出I/O操作在移动终端的操作系统中调用的代码;Determining a location of the first interface code in the target code; wherein the first interface code comprises: a code invoked in an operating system of the mobile terminal by an input/output I/O operation of the target code;
根据确定出的位置,将所述第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;其中,所述第二接口代码包括所述用于实现数据安全传输功能的代码;Replacing the first interface code with a second interface code invoked in a pre-installed secure operating platform in the mobile terminal according to the determined location; wherein the second interface code is replaced by a pre-stored I/O operation of the application; The interface code includes the code for implementing a data secure transmission function;
将所述第一接口代码替换为所述第二接口代码后的目标代码进行链接、 编译、打包得到所述安全应用的安装包。Substituting the first interface code with the target code after the second interface code for linking, Compile and package the installation package of the security application.
本发明实施例还提出了一种移动终端,包括:The embodiment of the invention further provides a mobile terminal, including:
接收模块,设置为接收到来自用户的读取安全应用的文件的指令;a receiving module, configured to receive an instruction from a user to read a file of the security application;
加解密模块,设置为对读取的安全应用的文件进行解密;The encryption and decryption module is configured to decrypt the file of the read security application;
读写操作模块,设置为对解密后的文件进行读操作。The read/write operation module is set to read the decrypted file.
可选的,所述接收模块还设置为:Optionally, the receiving module is further configured to:
接收到来自所述用户的写入安全应用的文件的指令;Receiving an instruction from the user to write a file of the secure application;
所述加解密模块还设置为:The encryption and decryption module is further configured to:
对写入的安全应用的文件进行加密;Encrypt the file of the written secure application;
所述读写操作模块还设置为:对加密后的文件进行写操作。The read/write operation module is further configured to: write the encrypted file.
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于上述任意一个的方法。Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for use in any of the methods described above.
本发明提供的实施例,通过对应用的安装包进行第一处理得到目标代码,再对目标代码进行第二处理得到安全应用的安装包,由于该安全应用的安装包中含有用于实现数据安全传输功能的代码,从而使得在该应用运行在移动终端时,该安全应用的数据无法被第三方窃取,提高了移动终端中应用的安全性。The embodiment provided by the present invention obtains the target code by performing the first processing on the installation package of the application, and then performs the second processing on the target code to obtain the installation package of the security application, because the installation package of the security application contains data security for data security. The code of the transmission function, so that when the application runs on the mobile terminal, the data of the security application cannot be stolen by the third party, thereby improving the security of the application in the mobile terminal.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1为本发明实施例管理应用的方法的流程图;1 is a flowchart of a method for managing an application according to an embodiment of the present invention;
图2为本发明实施例实现读写操作的方法的流程图;2 is a flowchart of a method for implementing a read/write operation according to an embodiment of the present invention;
图3为本发明实施例管理应用的方法示意图;3 is a schematic diagram of a method for managing an application according to an embodiment of the present invention;
图4为本发明实施例移动终端通过企业安全容器管控安全应用的方法示意图;4 is a schematic diagram of a method for a mobile terminal to control a security application through an enterprise security container according to an embodiment of the present invention;
图5为本发明实施例管理应用的装置的结构组成示意图;FIG. 5 is a schematic structural diagram of an apparatus for managing an application according to an embodiment of the present invention;
图6为本发明实施例移动终端的结构组成示意图。 FIG. 6 is a schematic structural diagram of a mobile terminal according to an embodiment of the present invention.
本发明的实施方式Embodiments of the invention
下面将结合附图及具体实施例对本发明作进一步的详细描述。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The invention will be further described in detail below with reference to the drawings and specific embodiments. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
图1为本发明实施例管理应用的方法的流程图。图1所示方法包括:FIG. 1 is a flowchart of a method for managing an application according to an embodiment of the present invention. The method shown in Figure 1 includes:
步骤101、打包器对应用的安装包进行第一处理得到目标代码。Step 101: The packager performs the first processing on the installation package of the application to obtain the target code.
本步骤中,目标代码包括一个或多个文件的目标代码。In this step, the object code includes the object code of one or more files.
本步骤中,应用可以是文本应用、Word应用、Excel应用等。In this step, the application may be a text application, a Word application, an Excel application, or the like.
本步骤中,打包器对应用的安装包进行第一处理得到目标代码包括:In this step, the packager performs the first processing on the application installation package to obtain the target code, including:
打包器对应用的安装包进行解包、反编译、反汇编得到目标代码。The packager unpacks, decompiles, and disassembles the application's installation package to get the target code.
本步骤中,具体如何对应用的安装包进行解包、反编译、反汇编可以采用本领域技术人员的熟知技术实现,并不用于限定本发明的保护范围,这里不再赘述。In this step, how to unpack, decompile, and disassemble the installation package of the application may be implemented by using the well-known techniques of the present invention, and is not intended to limit the scope of the present invention, and details are not described herein again.
步骤102、打包器对所述目标代码进行第二处理得到安全应用的安装包,其中,经过第二处理,所述安全应用的安装包包括用于实现数据安全传输功能的代码。Step 102: The packager performs a second process on the target code to obtain an installation package of the security application, where, after the second process, the installation package of the security application includes code for implementing a data security transmission function.
本步骤中,打包器对所述目标代码进行第二处理得到安全应用的安装包包括:In this step, the packager performs the second processing on the target code to obtain the installation package of the security application, including:
打包器确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:目标代码中应用的输入/输出(I/O,Input/Output)操作在移动终端的操作系统中调用的代码;The packager determines a location of the first interface code in the target code; wherein the first interface code comprises: an input/output (I/O, Input/Output) operation of the target code in the operating system of the mobile terminal Code called in ;
打包器根据确定出的位置,将第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;The packager replaces the first interface code with the second interface code invoked in the secure operation platform pre-installed in the mobile terminal by the pre-stored I/O operation of the application according to the determined location;
打包器将第一接口代码替换为第二接口代码后的目标代码进行链接、编译、打包得到安全应用的安装包。The packager replaces the first interface code with the target code after the second interface code to link, compile, and package the installation package of the security application.
其中,第二接口代码包括用于实现数据安全传输功能的代码。The second interface code includes code for implementing a data secure transmission function.
具体的,由于移动终端的操作系统往往是开放的,为了避免应用在该操 作系统中被恶意软件攻击,通过将该安全应用运行在安全运行平台,可以有效降低被攻击的可能性。由于应用在开发初期所配置的I/O接口代码是针对移动终端的操作系统配置的,因此,为了保证能够在该安全运行平台运行该安全应用,需要更改I/O接口的配置,其中根据目标代码,可以有效地获取到I/O操作在移动终端的操作系统中调用的第一接口代码在目标代码中的位置,进而将目标代码中的第一接口代码替换为第二接口代码。Specifically, since the operating system of the mobile terminal is often open, in order to avoid application in the operation By being attacked by malware in the system, by running the security application on a secure running platform, the possibility of being attacked can be effectively reduced. Since the I/O interface code configured in the initial stage of the application is configured for the operating system of the mobile terminal, in order to ensure that the security application can be run on the secure running platform, the configuration of the I/O interface needs to be changed, according to the target. The code can effectively obtain the position of the first interface code called by the I/O operation in the operating system of the mobile terminal in the target code, and then replace the first interface code in the target code with the second interface code.
本步骤中,所述用于实现数据安全传输功能的代码包括用于对输出的未加密的信息进行加密的加密代码、和/或对接收的加密的信息进行解密的解密代码。In this step, the code for implementing the data secure transmission function includes an encryption code for encrypting the output unencrypted information, and/or a decryption code for decrypting the received encrypted information.
用于实现数据安全传输功能的代码还可以包括:使用安全运行平台处理I/O操作的代码。The code for implementing the secure transfer function of data may also include code for handling I/O operations using a secure runtime platform.
本步骤中,如果安全应用的安装包中包括加密代码,可以使得输出的数据是加密数据,由于输出的数据是经过加密处理的,即使输出的数据被第三方应用窃取,也无法被第三方应用破解,从而保证了应用发送的数据的安全,提高了应用的安全性;如果安全应用的安装包中包括解密代码,可以接收加密的数据,由于本地具有解密功能,可以解密加密数据得到明文,而第三方是无法解密得到的明文的,从而保证了应用接收的数据的安全,提高了应用的安全性。In this step, if the security application installation package includes an encryption code, the output data may be encrypted data, and since the output data is encrypted, even if the output data is stolen by a third-party application, it cannot be used by a third party application. Cracking, thus ensuring the security of the data sent by the application, and improving the security of the application; if the installation package of the security application includes the decryption code, it can receive the encrypted data, and since the local decryption function can decrypt the encrypted data to obtain the plaintext, The third party is able to decrypt the plaintext, thus ensuring the security of the data received by the application and improving the security of the application.
其中,第二接口代码可以通过代码注入方式和/或函数钩子方式替换目标代码中的第一接口代码。The second interface code may replace the first interface code in the target code by means of code injection and/or function hook.
具体的,相关技术中已有的代码注入方式和函数钩子方式可以适用于本发明实施例中,此处不再赘述。Specifically, the code injecting mode and the function hooking method in the related art may be applied to the embodiment of the present invention, and details are not described herein again.
通过上述方式将第一接口代码替换为第二接口代码,无需重新开发新的应用,只需提供原有的企业应用就可以方便灵活的给企业移动应用增加读写加解密文件的能力,并且不需要有原应用的源码。By replacing the first interface code with the second interface code in the above manner, it is not necessary to re-develop a new application, and the original enterprise application can be conveniently and flexibly added to the enterprise mobile application to read, write, decrypt, and decrypt files, and Need to have the source code of the original application.
参见图2,本发明实施例还提出了一种实现读写操作的方法,包括:Referring to FIG. 2, an embodiment of the present invention further provides a method for implementing a read/write operation, including:
步骤200、移动终端接收到来自用户的读取安全应用的文件的指令,对读取的安全应用的文件进行解密,对解密后的文件进行读操作。 Step 200: The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and performs a read operation on the decrypted file.
本步骤中,读取安全应用的文件的指令可以是打开文件的指令、或滑动文件的指令等。In this step, the instruction to read the file of the secure application may be an instruction to open the file, an instruction to slide the file, or the like.
当移动终端接收到来自用户的写入安全应用的文件的指令时,对写入的安全应用的文件进行加密,对加密后的文件进行写操作。When the mobile terminal receives an instruction from the user to write a file of the secure application, the file of the written secure application is encrypted, and the encrypted file is written.
上述方法中,可以通过安全运行平台进行读操作和/或写操作,这样,移动终端要能够读和/或写安全应用的文件,需要预先在移动终端中安装安全运行平台,这样,安全应用打开后即在安全运行平台上运行。In the above method, the read operation and/or the write operation can be performed through the secure operation platform, so that the mobile terminal needs to be able to read and/or write the file of the security application, and the security operation platform needs to be installed in the mobile terminal in advance, so that the security application is opened. It will then run on a secure operating platform.
其中,所述安全运行平台是通过如下方式得到:The secure operation platform is obtained by:
获取具有信息隔离功能的应用(如企业安全容器等);Obtain applications with information isolation (such as enterprise security containers);
运行所述具有信息隔离功能的应用,得到所述安全运行平台。The application with the information isolation function is run to obtain the secure operation platform.
在实际应用中,该安全运行平台可以自行开发,也可以通过安装具有信息隔离功能的应用来构建。In practical applications, the secure operation platform can be developed by itself or by installing an application with information isolation function.
本发明实施例提供的方法,通过对应用的安装包进行第一处理得到目标代码,再通过对目标代码进行第二处理得到安全应用的安装包,由于该安全应用的安装包中含有用于实现数据安全传输功能的代码信息,从而使得在该应用的安装包安装在移动终端后,该安全应用的数据无法被第三方窃取,提高了移动终端中应用的安全性。The method provided by the embodiment of the present invention obtains the target code by performing the first processing on the installation package of the application, and then obtains the installation package of the security application by performing the second processing on the target code, because the installation package of the security application is included for implementation. The code information of the data security transmission function, so that after the installation package of the application is installed on the mobile terminal, the data of the security application cannot be stolen by the third party, thereby improving the security of the application in the mobile terminal.
下面以具体实施例对本发明提供的方法作进一步说明:The method provided by the present invention is further illustrated by the following specific embodiments:
以Android系统为例,将企业安全容器(ByodHome.APK)安装在手机上作为安全运行平台为例进行说明:Take the Android system as an example, install the enterprise security container (ByodHome.APK) on the mobile phone as a secure operation platform as an example:
图3为本发明实施例管理应用的方法示意图。图3所示方法包括:FIG. 3 is a schematic diagram of a method for managing an application according to an embodiment of the present invention. The method shown in Figure 3 includes:
步骤301、打包器对应用的安装包进行第一处理得到目标代码。Step 301: The packager performs the first processing on the installation package of the application to obtain the target code.
本步骤中,采用APK反编译工具(Apktool)对移动应用进行解包、反编译、反汇编得到smali代码(即目标代码)。In this step, the mobile application is unpacked, decompiled, and disassembled using the APK decompile tool (Apktool) to obtain the smali code (ie, the target code).
步骤302、打包器确定目标代码中应用的I/O操作在移动终端的操作系统中调用的第一接口代码,在目标代码中的位置。Step 302: The packager determines a location of the first interface code called in the target code of the I/O operation applied in the target code in the operating system of the mobile terminal.
本步骤中,在上述smali代码中检索第一接口代码;将检索到的第一接口 代码在目标代码中的位置记录待用。In this step, the first interface code is retrieved in the above smali code; the first interface to be retrieved The location of the code in the target code is recorded for use.
其中,第一接口代码在目标代码中的位置可以是一个或多个。至少包括输入和输出两个。Wherein, the location of the first interface code in the target code may be one or more. At least two of input and output.
步骤303、打包器将目标代码中的第一接口代码替换为第二接口代码。Step 303: The packager replaces the first interface code in the object code with the second interface code.
本步骤中,第二接口代码包括加密代码、和/或解密代码、和使用安全容器处理I/O操作的代码。In this step, the second interface code includes an encryption code, and/or a decryption code, and a code that processes the I/O operation using the secure container.
将第二接口代码注入到相应的第一接口代码在目标代码中的位置。The second interface code is injected into the location of the corresponding first interface code in the target code.
步骤304、打包器修改AndroidManifest.xml文件的目标代码,加上安全容器标识。Step 304: The packager modifies the target code of the AndroidManifest.xml file, plus the secure container identifier.
本步骤中,在AndroidManifest.xml文件的目标代码中加上安全容器标识后,安全应用只在安全容器对应的安全桌面上,而在普通桌面上不显示。In this step, after the security container identifier is added to the target code of the AndroidManifest.xml file, the security application is only displayed on the secure desktop corresponding to the secure container, but not on the normal desktop.
步骤305、打包器重新生成安全应用的安装包。Step 305: The packager regenerates the installation package of the security application.
本步骤中,打包器可以使用安卓资源文件打包工具(aapt,Android Asset Packaging Tool)将第一接口代码替换为第二接口代码之后的目标代码进行链接、编译,使用apktool打包,重新生成安全应用的安装包。In this step, the packager can use the Android resource packaging tool (aapt, Android Asset Packaging Tool) to replace the first interface code with the target code after the second interface code for linking, compiling, packaging with apktool, and regenerating the security application. Installation package.
步骤306、打包器重新签名移动应用。打包器可以使用签名工具signapk和默认签名文件、或者用户指定的签名文件对移动应用进行重新签名。Step 306: The packager re-signs the mobile application. The packager can re-sign the mobile app using the signature tool signapk and the default signature file, or a user-specified signature file.
具体的,可以通过代码注入和函数钩子方法,将目标代码中第一接口代码替换为第二接口代码。将其改造为能够在使用应用进行文件读写、编辑时,自动对未加密的文件进行加密,对已加密的文件自动解密。文件一旦离开使用环境,由于第三方应用程序无法得到自动解密的服务而无法打开,从而起到保护文件内容的效果。Specifically, the first interface code in the object code can be replaced with the second interface code by a code injection and a function hook method. It is modified to automatically encrypt unencrypted files and automatically decrypt encrypted files when using the application for file reading and writing and editing. Once the file leaves the usage environment, the third-party application cannot be opened because it cannot obtain the service of automatic decryption, thereby protecting the content of the file.
由上可以看出,使用代码注入技术或者API挂钩(HOOK)技术将目标代码中第一接口代码替换为第二接口代码,使其能够接受文件加解密的能力,并且将应用的文件操作接口由原先调用系统接口替换为指向企业安全容器。使受控应用接受企业安全容器管控,从而实现第一重保护。It can be seen from the above that the first interface code in the object code is replaced with the second interface code by using code injection technology or API hook (HOOK) technology, so that it can accept the file encryption and decryption capability, and the application file operation interface is The original calling system interface was replaced with a pointer to the Enterprise Security container. The first application is implemented by enabling the controlled application to accept enterprise security container management.
图4为本发明实施例移动终端通过企业安全容器管控安全应用的方法示意图。图4所示方法包括: FIG. 4 is a schematic diagram of a method for a mobile terminal to control a security application through an enterprise security container according to an embodiment of the present invention. The method shown in Figure 4 includes:
步骤401、移动终端获取企业安全容器的安装包并安装。Step 401: The mobile terminal acquires an installation package of the enterprise security container and installs it.
步骤402、移动终端获取安全应用的安装包并安装。Step 402: The mobile terminal acquires an installation package of the security application and installs it.
步骤403、移动终端接收到来自用户的读取安全应用的文件的指令,对读取的安全应用的文件进行解密,将解密后的文件通过安卓的IBinder接口发送给企业安全容器,企业安全容器对解密后的文件进行读操作。Step 403: The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and sends the decrypted file to the enterprise security container through the Android IBinder interface, and the enterprise security container pairs The decrypted file is read.
当移动终端接收到来自用户的写入安全应用的文件的指令时,对写入的安全应用的文件进行加密,将加密后的文件通过安卓IBinder接口发送给企业安全容器,企业安全容器对加密后的文件进行写操作。When the mobile terminal receives an instruction from the user to write a file of the security application, the file of the written security application is encrypted, and the encrypted file is sent to the enterprise security container through the Android IBinder interface, and the enterprise security container is encrypted. The file is written.
其中,企业安全容器管理是指在手机安装企业安全容器应用,将原应用中调用系统读写的接口替换成安全容器读写的接口,将加密后的文件写入企业安全容器的沙箱隔离区。Among them, the enterprise security container management refers to installing the enterprise security container application on the mobile phone, replacing the interface for reading and writing the system in the original application with the interface for reading and writing by the secure container, and writing the encrypted file into the sandbox isolation area of the enterprise security container. .
隔离沙箱提供一层防护,它能让您软件程序不担心系统被修改,恶意软件或者木马程序除了要想办法先突破隔离沙箱的虚拟系统与受限的权限之后,还有安全应用的文件进行解码。通过安全容器的隔离沙箱与安全应用的文件的加密对病毒木马形成两道的坚固防御面。发挥最高的防御效果。The quarantine sandbox provides a layer of protection that allows your software program to be protected from system modifications. Malware or Trojans, in addition to trying to break through the sandboxed virtual system and restricted permissions, also have security applications. Decode. Encryption of the security container's quarantine sandbox and security application files creates a solid defense against the Trojan. Play the highest defenses.
安装企业安全容器byodHome.APK,使用企业安全容器来管控安全应用。通过内核空间API拦截,用户空间API拦截,将安全应用只在企业安全容器的隔离沙箱中运行,隔离沙箱是提供一个系统环境的副本并且将部分权限降低,沙箱内程序的所有操作新增文件,修改文件,注册表等都不是真正修改到系统,而是改到一个副本当中,这个副本对真实系统的正常程序是看不见的。对系统一点改变都没有,所以木马也无法生存下来。随着清除沙箱而消失。通过安全容器的隔离沙箱实现第二重保护。Install the enterprise security container byodHome.APK and use the Enterprise Security container to manage security applications. Through the kernel space API interception, the user space API intercepts, the security application runs only in the quarantine sandbox of the enterprise security container, the quarantine sandbox provides a copy of the system environment and reduces some of the permissions, all operations of the program in the sandbox are new Adding files, modifying files, registry, etc. are not really modified to the system, but instead changed to a copy, this copy is invisible to the normal program of the real system. There is no change to the system, so the Trojan can't survive. Disappears as the sandbox is cleared. The second protection is achieved by the isolation sandbox of the safety container.
相关技术中,普通应用在执行读写操作的时候,直接往手机本地写入明码保存至文件,不但在写入的过程中会被其他恶意软件截获或者修改,而且保存在硬盘中的文件没有任何保护措施,任何应用都有权限可以读取它。In the related art, when a normal application performs a read/write operation, the local code is directly written to the mobile phone and saved to a file, which is not only intercepted or modified by other malware during the writing process, but also has no files stored in the hard disk. Protection measures, any application has permission to read it.
采用本发明,可以无需重新开发新的应用,只需提供原有的企业应用就可以方便灵活的给企业移动应用增加读写加解密文件的能力,并且不需要有原应用的源码。通过首选通过简单的安全加固实现文件读写加密,在不使用 系统读写接口的情况下通过企业安全容器在沙箱隔离区中进行文件操作提供双层防护,它能降低应用被修改的可能。恶意软件或者木马程序除了要想办法先突破隔离沙箱的虚拟系统与受限的权限之后,还有移动应用加固的文件加密无法破解。通过安全容器的隔离沙箱与安全加固的文件加密对病毒木马形成两道的坚固防御面。发挥最高的防御效果。By adopting the invention, the new application can be re-developed without providing a new application, and the original enterprise application can be conveniently and flexibly added with the ability of reading and decrypting and decrypting files for the enterprise mobile application, and the source code of the original application is not needed. File read and write encryption is achieved by simple security hardening, not used In the case of a system read/write interface, double-layer protection is provided by the enterprise security container for file operations in the sandbox quarantine area, which can reduce the possibility that the application is modified. In addition to trying to break through the virtual system of the quarantine sandbox and the restricted permissions, malware or trojans cannot be cracked by the file encryption of the mobile application. Encryption of the security container's isolation sandbox and security-enhanced files creates a solid defensive surface for the virus Trojan. Play the highest defenses.
该发明提供了一套保障移动应用文件操作安全的系统。采用文件加密和沙箱双重保护。The invention provides a system for securing the operation of mobile application files. File encryption and sandboxed dual protection.
本系统操作简单,只需要将受控应用进行文件加密的安全加固,平且在手机上安装企业安全容器即可。The system is simple to operate, and only needs to perform security hardening of file encryption for the controlled application, and the enterprise security container can be installed on the mobile phone.
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述描述的任意一个方法。Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
图5为本发明实施例提供的管理应用的装置的结构组成示意图。图5所示装置,包括:FIG. 5 is a schematic structural diagram of an apparatus for managing an application according to an embodiment of the present invention. The device shown in Figure 5 includes:
第一处理模块,设置为对应用的安装包进行第一处理得到目标代码;a first processing module, configured to perform a first processing on the installation package of the application to obtain a target code;
第二处理模块,设置为对所述目标代码进行第二处理得到安全应用的安装包,其中,经过第二处理,所述安全应用的安装包包括用于实现数据安全传输功能的代码。And a second processing module, configured to perform a second processing on the target code to obtain an installation package of the security application, wherein, after the second processing, the installation package of the security application includes code for implementing a data security transmission function.
本发明的装置中,所述第二处理模块是设置为,In the device of the present invention, the second processing module is configured to
确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:所述目标代码中应用的输入/输出I/O操作在移动终端的操作系统中调用的代码;Determining a location of the first interface code in the target code; wherein the first interface code comprises: a code invoked in an operating system of the mobile terminal by an input/output I/O operation of the target code;
根据确定出的位置,将所述第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;其中,所述第二接口代码包括所述用于实现数据安全传输功能的代码;Replacing the first interface code with a second interface code invoked in a pre-installed secure operating platform in the mobile terminal according to the determined location; wherein the second interface code is replaced by a pre-stored I/O operation of the application; The interface code includes the code for implementing a data secure transmission function;
将所述第一接口代码替换为所述第二接口代码后的目标代码进行链接、编译、打包得到所述安全应用的安装包。The first interface code is replaced with the target code after the second interface code, and the installation package of the security application is obtained by linking, compiling, and packaging.
参见图6,本发明实施例还提出了一种移动终端,包括:Referring to FIG. 6, an embodiment of the present invention further provides a mobile terminal, including:
接收模块,设置为接收到来自用户的读取安全应用的文件的指令; a receiving module, configured to receive an instruction from a user to read a file of the security application;
加解密模块,设置为对读取的安全应用的文件进行解密;The encryption and decryption module is configured to decrypt the file of the read security application;
读写操作模块,设置为对解密后的文件进行读操作。The read/write operation module is set to read the decrypted file.
本发明的移动终端中,所述接收模块还设置为:In the mobile terminal of the present invention, the receiving module is further configured to:
接收到来自所述用户的写入安全应用的文件的指令;Receiving an instruction from the user to write a file of the secure application;
所述加解密模块还设置为:The encryption and decryption module is further configured to:
对写入的安全应用的文件进行加密;Encrypt the file of the written secure application;
所述读写操作模块还设置为:对加密后的文件进行写操作。本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。The read/write operation module is further configured to: write the encrypted file. One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
可选地,上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Alternatively, all or part of the steps of the above embodiments may also be implemented by using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or multiple modules or steps may be fabricated into a single integrated circuit module. achieve. Thus, the invention is not limited to any specific combination of hardware and software.
上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能, 也可以采用软件功能模块的形式实现,例如通过处理器执行存储与存储器中的程序/指令来实现其相应功能。本发明不限于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by an integrated circuit to implement its corresponding function. It can also be implemented in the form of a software function module, for example, by a processor executing a program/instruction in the memory and memory to implement its corresponding function. The invention is not limited to any specific form of combination of hardware and software.
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求所述的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
工业实用性Industrial applicability
本发明实施例提高了移动终端中应用的安全性。 The embodiment of the invention improves the security of the application in the mobile terminal.

Claims (15)

  1. 一种管理应用的方法,包括:A method of managing applications, including:
    打包器对应用的安装包进行第一处理得到目标代码;The packager performs the first processing on the application installation package to obtain the target code;
    打包器对所述目标代码进行第二处理得到安全应用的安装包,其中,经过所述第二处理,所述安全应用的安装包中包括用于实现数据安全传输功能的代码。The packager performs a second process on the target code to obtain an installation package of the security application, wherein, after the second process, the installation package of the security application includes code for implementing a data security transmission function.
  2. 根据权利要求1所述的方法,其中,所述打包器对应用的安装包进行第一处理得到目标代码包括:The method according to claim 1, wherein the packetizer performs a first process on the installation package of the application to obtain the target code, including:
    所述打包器对所述应用的安装包进行解包、反编译、反汇编得到所述目标代码。The packager unpacks, decompiles, and disassembles the installation package of the application to obtain the target code.
  3. 根据权利要求1所述的方法,其中,所述打包器对所述目标代码进行第二处理得到安全应用的安装包包括:The method according to claim 1, wherein the packager performs a second process on the target code to obtain an installation package of the security application, including:
    所述打包器确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:所述目标代码中应用的输入/输出I/O操作在移动终端的操作系统中调用的代码;The packer determines a location of the first interface code in the target code; wherein the first interface code comprises: an input/output I/O operation of the application in the target code is invoked in an operating system of the mobile terminal Code
    所述打包器根据确定出的位置,将所述第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;其中,所述第二接口代码包括所述用于实现数据安全传输功能的代码;The packager replaces the first interface code with a second interface code invoked in a pre-installed secure operation platform in the mobile terminal according to the determined location, wherein the first interface code is replaced with a pre-stored I/O operation of the application; The second interface code includes the code for implementing a data secure transmission function;
    所述打包器将所述第一接口代码替换为所述第二接口代码后的目标代码进行链接、编译、打包得到所述安全应用的安装包。The packager replaces the first interface code with the target code after the second interface code to link, compile, and package the installation package of the security application.
  4. 根据权利要求3所述的方法,其中,将所述第一接口代码替换为第二接口代码包括:The method of claim 3 wherein replacing the first interface code with the second interface code comprises:
    通过代码注入方式和/或函数钩子方式将所述第一接口代码替换为所述第二接口代码。 The first interface code is replaced with the second interface code by a code injection method and/or a function hook.
  5. 根据权利要求1所述的方法,其中,所述用于实现数据安全传输功能的代码包括用于对输出的未加密的信息进行加密的加密代码和/或对接收的加密的信息进行解密的解密代码。The method according to claim 1, wherein said code for implementing a data secure transmission function comprises an encryption code for encrypting the outputted unencrypted information and/or a decryption for decrypting the received encrypted information. Code.
  6. 根据权利要求5所述的方法,其中,所述用于实现数据安全传输功能的代码还包括:使用安全运行平台处理I/O操作的代码。The method of claim 5, wherein the code for implementing the data secure transfer function further comprises code for processing the I/O operation using the secure runtime platform.
  7. 一种实现读写操作的方法,包括:A method of implementing read and write operations, including:
    移动终端接收到来自用户的读取安全应用的文件的指令,对读取的安全应用的文件进行解密,对解密后的文件进行读操作。The mobile terminal receives an instruction from the user to read the file of the security application, decrypts the file of the read security application, and performs a read operation on the decrypted file.
  8. 根据权利要求7所述的方法,还包括:The method of claim 7 further comprising:
    所述移动终端接收到来自所述用户的写入安全应用的文件的指令,所述移动终端对写入的安全应用的文件进行加密,对加密后的文件进行写操作。The mobile terminal receives an instruction from the user to write a file of the security application, and the mobile terminal encrypts the file of the written security application and performs a write operation on the encrypted file.
  9. 根据权利要求8所述的方法,其中,对加密后的文件进行写操作包括:The method of claim 8 wherein the writing to the encrypted file comprises:
    通过安全运行平台对所述加密后的文件写操作。The encrypted file is written to the secure operating platform.
  10. 根据权利要求7或8所述的方法,其中,对解密后的文件进行读操作包括:The method of claim 7 or 8, wherein the reading the decrypted file comprises:
    通过安全运行平台对所述解密后的文件进行读操作。The decrypted file is read by a secure operation platform.
  11. 一种管理应用的装置,包括:A device for managing applications, including:
    第一处理模块,设置为对应用的安装包进行第一处理得到目标代码;a first processing module, configured to perform a first processing on the installation package of the application to obtain a target code;
    第二处理模块,设置为对所述目标代码进行第二处理得到安全应用的安装包,其中,经过所述第二处理,所述安全应用的安装包包括用于实现数据安全传输功能的代码。And a second processing module, configured to perform a second processing on the target code to obtain an installation package of the security application, wherein, after the second processing, the installation package of the security application includes code for implementing a data security transmission function.
  12. 根据权利要求11所述的装置,其中,所述第二处理模块是设置为,The apparatus of claim 11 wherein said second processing module is configured to
    确定第一接口代码在所述目标代码中的位置;其中,所述第一接口代码包括:所述目标代码中应用的输入/输出I/O操作在移动终端的操作系统中调 用的代码;Determining a location of the first interface code in the target code; wherein the first interface code comprises: an input/output I/O operation applied in the target code is adjusted in an operating system of the mobile terminal Code used;
    根据确定出的位置,将所述第一接口代码替换为预先保存的所述应用的I/O操作在移动终端中预先安装的安全运行平台中调用的第二接口代码;其中,所述第二接口代码包括所述用于实现数据安全传输功能的代码;Replacing the first interface code with a second interface code invoked in a pre-installed secure operating platform in the mobile terminal according to the determined location; wherein the second interface code is replaced by a pre-stored I/O operation of the application; The interface code includes the code for implementing a data secure transmission function;
    将所述第一接口代码替换为所述第二接口代码后的目标代码进行链接、编译、打包得到所述安全应用的安装包。The first interface code is replaced with the target code after the second interface code, and the installation package of the security application is obtained by linking, compiling, and packaging.
  13. 一种移动终端,包括:A mobile terminal includes:
    接收模块,设置为接收到来自用户的读取安全应用的文件的指令;a receiving module, configured to receive an instruction from a user to read a file of the security application;
    加解密模块,设置为对读取的安全应用的文件进行解密;The encryption and decryption module is configured to decrypt the file of the read security application;
    读写操作模块,设置为对解密后的文件进行读操作。The read/write operation module is set to read the decrypted file.
  14. 根据权利要求13所述的移动终端,所述接收模块还设置为:The mobile terminal according to claim 13, wherein the receiving module is further configured to:
    接收到来自所述用户的写入安全应用的文件的指令;Receiving an instruction from the user to write a file of the secure application;
    所述加解密模块还设置为:The encryption and decryption module is further configured to:
    对写入的安全应用的文件进行加密;Encrypt the file of the written secure application;
    所述读写操作模块还设置为:对加密后的文件进行写操作。The read/write operation module is further configured to: write the encrypted file.
  15. 一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行权利要求1~10任意一项所述的方法。 A computer readable storage medium storing computer executable instructions for performing the method of any one of claims 1 to 10.
PCT/CN2016/074131 2015-06-26 2016-02-19 Method and apparatus for managing application and method and apparatus for implementing read-write operation WO2016206393A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510364576.0A CN106326733A (en) 2015-06-26 2015-06-26 Method and apparatus for managing applications in mobile terminal
CN201510364576.0 2015-06-26

Publications (1)

Publication Number Publication Date
WO2016206393A1 true WO2016206393A1 (en) 2016-12-29

Family

ID=57584616

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/074131 WO2016206393A1 (en) 2015-06-26 2016-02-19 Method and apparatus for managing application and method and apparatus for implementing read-write operation

Country Status (2)

Country Link
CN (1) CN106326733A (en)
WO (1) WO2016206393A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977040A (en) * 2019-03-27 2019-07-05 努比亚技术有限公司 File read-write authority control method, device, terminal and storage medium
CN111176663A (en) * 2019-12-20 2020-05-19 北京字节跳动网络技术有限公司 Data processing method, device and equipment of application program and storage medium
CN112711426A (en) * 2019-10-24 2021-04-27 北京车和家信息技术有限公司 Embedded system installation package generation method and device and server

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108427763B (en) * 2017-02-27 2020-08-18 伟迈云科技股份有限公司 Webpage display device
CN107679399A (en) * 2017-10-19 2018-02-09 郑州云海信息技术有限公司 A kind of Malicious Code Detection sandbox system and detection method based on container

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet
CN104252605A (en) * 2014-09-17 2014-12-31 南京信息工程大学 Method and system for file transparent encryption and decryption of Android platform
CN104484607A (en) * 2014-12-16 2015-04-01 上海交通大学 Universal method and universal system for performing safety testing on Android application programs

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101051641B1 (en) * 2010-03-30 2011-07-26 주식회사 안철수연구소 Mobile communication terminal and behavior based checking virus program method using the same
CN102073830B (en) * 2011-01-12 2014-05-14 深圳昂楷科技有限公司 Method for dynamically extending additional information of transparent encrypted file
US9535674B2 (en) * 2012-12-21 2017-01-03 Bmc Software, Inc. Application wrapping system and method
CN103914637B (en) * 2013-01-07 2017-06-09 北京洋浦伟业科技发展有限公司 A kind of executable program encryption method of Android platform
CN103268456B (en) * 2013-05-31 2017-02-08 杭州华三通信技术有限公司 Method and device for file safety control
CN104239808A (en) * 2013-06-14 2014-12-24 北京数码视讯科技股份有限公司 Method and device for encryption transmission of data
CN103581196B (en) * 2013-11-13 2016-05-11 上海众人网络安全技术有限公司 Distributed document transparent encryption method and transparent decryption method
CN104102880B (en) * 2014-06-30 2016-10-05 华中科技大学 A kind of application program rewrite method detecting the attack of Android privilege-escalation and system
CN104252374B (en) * 2014-10-17 2018-04-20 北京奇虎科技有限公司 The program management-control method and device changed based on framework
CN104408367B (en) * 2014-11-28 2019-04-05 北京奇虎科技有限公司 Application program configuration method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
CN103685251A (en) * 2013-12-04 2014-03-26 电子科技大学 Android malicious software detecting platform oriented to mobile internet
CN104252605A (en) * 2014-09-17 2014-12-31 南京信息工程大学 Method and system for file transparent encryption and decryption of Android platform
CN104484607A (en) * 2014-12-16 2015-04-01 上海交通大学 Universal method and universal system for performing safety testing on Android application programs

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HU , WENJUN ET AL.: "A Detection Method and System Implementation for Android Malware", JOURNAL OF XI'AN JIAOTONG UNIVERSITY, vol. 47, no. 10, 31 October 2013 (2013-10-31) *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977040A (en) * 2019-03-27 2019-07-05 努比亚技术有限公司 File read-write authority control method, device, terminal and storage medium
CN109977040B (en) * 2019-03-27 2023-11-14 努比亚技术有限公司 File read-write permission control method, device, terminal and storage medium
CN112711426A (en) * 2019-10-24 2021-04-27 北京车和家信息技术有限公司 Embedded system installation package generation method and device and server
CN112711426B (en) * 2019-10-24 2023-12-26 北京车和家信息技术有限公司 Embedded system installation package generation method, device and server
CN111176663A (en) * 2019-12-20 2020-05-19 北京字节跳动网络技术有限公司 Data processing method, device and equipment of application program and storage medium
CN111176663B (en) * 2019-12-20 2024-02-02 抖音视界有限公司 Data processing method, device, equipment and storage medium of application program

Also Published As

Publication number Publication date
CN106326733A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
US10708051B2 (en) Controlled access to data in a sandboxed environment
US9147069B2 (en) System and method for protecting computer resources from unauthorized access using isolated environment
US9246948B2 (en) Systems and methods for providing targeted data loss prevention on unmanaged computing devices
US8549656B2 (en) Securing and managing apps on a device
AU2012337403B2 (en) Cryptographic system and methodology for securing software cryptography
WO2016206393A1 (en) Method and apparatus for managing application and method and apparatus for implementing read-write operation
JP2022541796A (en) Secure runtime system and method
KR20150060901A (en) Method and system for sharing vpn connections between applications
US20210306304A1 (en) Method and apparatus for distributing confidential execution software
US20210109870A1 (en) Isolating memory within trusted execution environments
Götzfried et al. Soteria: Offline software protection within low-cost embedded devices
CN105303074A (en) Method for protecting security of Web application
Suciu et al. Horizontal privilege escalation in trusted applications
CN110807191B (en) Safe operation method and device of application program
EP3298534B1 (en) Creating multiple workspaces in a device
KR101638257B1 (en) Method for protecting source code of application and apparatus for performing the method
KR101604892B1 (en) Method and devices for fraud prevention of android-based applications
Lee et al. Classification and analysis of security techniques for the user terminal area in the internet banking service
Park et al. CAFE: A virtualization-based approach to protecting sensitive cloud application logic confidentiality
Salehi et al. Welcome to Binder: A kernel level attack model for the Binder in Android operating system
CN107688729B (en) Application program protection system and method based on trusted host
JP6151218B2 (en) Application execution device, method and program
EP2750068B1 (en) System and method for protecting computer resources from unauthorized access using isolated environment
CN109784085B (en) Virtual network application implementation method, management system and computer readable storage medium
KR101187251B1 (en) Terminal device and program file protection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16813509

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16813509

Country of ref document: EP

Kind code of ref document: A1