WO2017162081A1 - Method and system for controlling access to clipboard, and storage medium - Google Patents

Method and system for controlling access to clipboard, and storage medium Download PDF

Info

Publication number
WO2017162081A1
WO2017162081A1 PCT/CN2017/076858 CN2017076858W WO2017162081A1 WO 2017162081 A1 WO2017162081 A1 WO 2017162081A1 CN 2017076858 W CN2017076858 W CN 2017076858W WO 2017162081 A1 WO2017162081 A1 WO 2017162081A1
Authority
WO
WIPO (PCT)
Prior art keywords
clipboard
private
data
application
legitimate
Prior art date
Application number
PCT/CN2017/076858
Other languages
French (fr)
Chinese (zh)
Inventor
俞研
董振江
吴家顺
王蔚
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017162081A1 publication Critical patent/WO2017162081A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the invention relates to a mobile terminal security technology, in particular to a clipboard access control method and system, and a storage medium.
  • the clipboard has global accessibility, which means that the application used does not require permission to access the clipboard, and even allows the application to monitor the cut by registering the listener.
  • the content of the data changes.
  • the illegal application may obtain data monitoring of the clipboard, or even malicious tampering. Therefore, in the BYOD environment, the user's private information and the company's confidential information may pass. Clipboard The operation caused the information to leak.
  • the embodiment of the invention provides a clipboard access control method and system, and a storage medium, to solve the technical problem that the illegal application in the related art causes leakage data leakage when monitoring data of the system clipboard.
  • an embodiment of the present invention provides a clipboard access control method, including:
  • the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
  • the method further includes: receiving a data cache request sent by the legitimate application;
  • the secure clipboard service securely authenticates the data cache request; if the authentication passes, the private cut data is extracted from a private clipboard of the legitimate application and sent to the secure cut Cache on the board service.
  • the method further includes: receiving a data acquisition request sent by the requester application, from the The private clipboard data requested by the data acquisition request is extracted from the secure clipboard service and sent to the requestor application.
  • the method before the sending the cut data to the security clipboard, the method further includes: performing encryption processing on the cut data according to a preset encryption rule;
  • the obtained ciphertext data is decrypted by the requesting application according to a preset encryption rule.
  • the setting a private clipboard for a legitimate application includes: setting a private clipboard for each legitimate application;
  • the storing the private cut data into the private clipboard includes: storing the cut data in a private clipboard of each legitimate application itself.
  • the method further includes: receiving and monitoring the private cut data to obtain a private clipboard data sending notification from the legitimate application or the secure clipboard service.
  • the embodiment of the invention further provides a clipboard access control system, comprising:
  • a private clipboard setting module configured to set up a private clipboard for legitimate applications.
  • a safety clipboard service setting module configured to set a security clipboard service for the private clipboard
  • a data acquisition module configured to acquire private cut data of the legitimate application
  • a storage module configured to store the private cut data in the private clipboard
  • a receiving module configured to receive a data acquisition request sent by the requesting application
  • An authentication module configured to perform security authentication on the data acquisition request
  • a sending module configured to: after the authentication module passes the authentication, extract the private cut data requested by the data acquisition request, and send the data to the requestor application.
  • the receiving module is further configured to: after the storage module stores the private cut data into the private clipboard, receive a data cache sent by the legitimate application. request;
  • the authentication module is further configured to perform security authentication on the data cache request.
  • the sending module is further configured to: if the receiving module authenticates, extract the private cut data from the private clipboard of the legitimate application, and send the data to the secure clipboard service. Cache.
  • the receiving module includes a receiving submodule
  • the sending module includes a sending submodule
  • the receiving submodule is configured to receive a data acquisition request sent by the requesting application after the private shear data is extracted and sent to the secure clipboard service for caching;
  • the sending submodule is configured to extract private cut data requested by the data acquisition request from the secure clipboard service to the requestor application.
  • the system further includes:
  • the encryption module is configured to perform encryption processing on the cut data according to a preset encryption rule
  • the decryption module is configured to perform decryption processing on the acquired ciphertext data according to the preset encryption rule by the requesting application after the receiving module receives the data acquisition request of the requesting application.
  • the private clipboard setting module is further configured to set a private clipboard for each legitimate application
  • the storing, by the storage module, the private cut data in the private clipboard includes: storing the cut data in a private clipboard of each legitimate application itself.
  • the system further includes: a listening module configured to receive and listen to the private cut data to obtain a private clipboard data sending notification from the legitimate application or the secure clipboard service.
  • the embodiment of the invention further provides a clipboard access control system, comprising:
  • the processor performs the following operations:
  • the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
  • the embodiment of the present invention further provides a storage medium, which stores executable instructions, and the executable instructions are used to execute the clipboard access control method provided by the embodiment of the present invention.
  • the private cut data of the legitimate application is obtained and stored in the private clipboard, thereby effectively blocking illegal application.
  • the program also listens to the private clip data of the legitimate application interaction while listening to the system clipboard.
  • the legitimate application When private cut data needs to interact between legitimate applications, the legitimate application encrypts the private clipboard data and stores it in the secure clipboard service.
  • the requester application needs to send data to the secure clipboard service.
  • the request, the secure clipboard performs security authentication on the data acquisition request, and if the authentication passes, extracts the private cut data requested by the data acquisition request, and sends the data to the requestor application.
  • Figure 1 is a flow chart of an illegal application stealing and tampering attack on private clip data on a clipboard
  • FIG. 2 is a flowchart of a method for controlling access to a clipboard according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of another method for controlling access to a clipboard according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic structural diagram of a clipboard access control system according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram of hardware of a clipboard access control system according to an embodiment of the present invention.
  • the illegal application can monitor the change of the data on the clipboard by registering the system clipboard data change listener with the Android system, thereby obtaining the private cut data, resulting in private Stealing data tampering and tampering attacks. Therefore, the clipboard access control method provided by the embodiment of the present invention implements the interception of an illegal application for a legitimate application by setting a private clipboard, a secure clipboard service, and checking access rights when requesting an application to acquire data. The monitoring of the clipboard used by the program makes it impossible for such applications to monitor changes in the private cut data of legitimate applications, thereby blocking theft and tampering attacks on privately cut data.
  • An embodiment of the present invention provides a clipboard access control method, including: setting a private clipboard for a legitimate application, and setting a security clipboard service for the private clipboard to obtain a private application of the legitimate application. Cutting the data and storing the private cut data into the private clipboard; when the legitimate application needs to perform the interaction of the private cut data, first receiving the requester application to the secure clipboard data The sent data acquisition request, the secure clipboard service performs security authentication on the data acquisition request, and if the authentication passes, the private cut data is Sent to the requestor application.
  • the legitimate application provided by the present invention refers to such an application that is inserted with the private clipboard provided by the present invention and is securely authenticated, and is not an illegal application if it is inserted;
  • the Secure Clipboard service is used to check the access rights of the application to access clipboard data, as well as to cache private cut data.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • a flowchart of an illegal application for stealing and tampering attacks on private clip data on a clipboard includes the following steps:
  • the illegal application 102 acquires a Clipboard Manager object 106 by calling an Activity component 103, for example, by calling the Get method in the Activity component 103 to implement an operation on the Clipboard;
  • the illegal application 102 creates an object that implements the On Primary Clip Changed Listener interface 105, and rewrites the private cut data change notification method in the clipboard;
  • the illegal application 102 adds the object created by S112 to the clipboard manager object 106, so that when the private cut data of the clipboard changes, the change notification of the object will be called;
  • the legitimate application 101 uses the clipboard to perform read and write operations, firstly, the Get method in the Activity component 103 is called to obtain the Clipboard Manager object 106;
  • the legitimate application 101 creates a private Clip Data object 104, and assigns the private cut data to be written to the clipboard to the private cut data object 104, wherein the Clip Data object 104 is a private cut. Cutting the basic unit of data access;
  • the legitimate application 101 calls the Set method of the Clipboard Manager object 106 to write the private cut data object 104 created by S115 to the clipboard;
  • the clipboard listener interface 105 calls the Get method of the Clipboard Manager object 106 to obtain the private cut data currently stored in the system clipboard.
  • the Clipboard Manager object 106 sends the private cut data to the illegal application 102, so that the illegal application can acquire the private cut data stored by the current clipboard, and complete the data stealing attack;
  • the illegal application 102 may tamper with the obtained private cut data, that is, write code commands, scripts, and the like for implementing the attack;
  • the illegal application 102 calls the Set method of the Clipboard Manager object 106 to rewrite the falsified data into the system clipboard, completes the data tampering attack, and further implements code injection and the like by using the falsified private clipping data.
  • the system clipboard in FIG. 1 is an open clipboard without any authority restrictions, and the clipboard temporarily stores data obtained by copying or cutting operations of each legitimate application, and Provided for the same or different applications, because the illegal application can also register the Clipboard Manager object on the system clipboard to listen for changes in the private cut data, and can be accessed without any permissions, so The data stored by each application on the clipboard can be obtained by other unauthorized applications, so the risk of data being compromised when accessed through the BYOD environment.
  • the embodiment provides a clipboard access control method, as shown in FIG. 2 .
  • FIG. 2 is a flowchart of a method for controlling access to a clipboard according to the embodiment.
  • the specific control steps are as follows:
  • a private clipboard is set for the legal application, and the data obtained by cutting or copying is transferred to the private clipboard, which not only ensures the use of the data copy/paste function, but also ensures the use of the data.
  • the security of privately cut data is not intercepted by illegal applications.
  • the call to the private clipboard and the system clipboard can be implemented through the application interface and the manual operation of the visual control, but both methods are ultimately through the Clipboard Manager.
  • the object operates the clipboard, so the pointer to the Clipboard Manager object in the Android application is redirected to the private clipboard object, which effectively intercepts the illegal application for the clipboard.
  • a private clipboard when a private clipboard is set for the legitimate application, a private clipboard can be set for each legitimate application, and each legitimate application obtains the cut data. After the private data is cut, the cut data private cut data is separately stored in the private clipboard of the legitimate application itself; it is worth noting that the implementation of the private clipboard is the memory area of the process private space. Only for the current process access, a process can not access the private clipboard of other processes, thereby implementing the application's own clipboard access function, or the memory area through the hardware setting feature, thus realizing the private use of the clipboard Chemical.
  • a secure clipboard service is provided for the private clipboard, and the secure clipboard service is configured to perform security authentication on the received data acquisition request, and may also For temporarily performing data exchange between legitimate applications, temporarily storing private cut data that needs to be exchanged between different applications, and implementing security protection of the data, first receiving the sent by the legitimate application through the secure clipboard service.
  • the data acquisition request is then subjected to security authentication processing on the data acquisition request; if the data acquisition request is authenticated, the private clipping data requested by the data acquisition request is sent to the requestor application.
  • the method further includes: receiving a data cache request sent by the legitimate application; and secureing the data cache request by using the secure clipboard service Authentication; if the authentication is passed, the private cut data is extracted from the private clipboard of the legitimate application and sent to the secure clipboard service for caching.
  • the provided clipboard access control method further includes encrypting the private cut data according to a preset encryption rule, that is, before sending the private cut data. Encryption is required to prevent data from being intercepted by an illegal application.
  • the private clipping may be performed according to a symmetric encryption algorithm based on a provided cipher packet linking mode (such as the SM4 algorithm issued by the National Cryptographic Office of China).
  • the data is encrypted, where its key is derived from the user group defined by the security policy.
  • the ciphertext data obtained by encrypting the encryption algorithm is sent to the requesting application, and after the requesting application receives the ciphertext data, the ciphertext is solved according to the encryption key, and the private hacker can be obtained. Cut the data in clear text.
  • the ciphertext data when the ciphertext data is sent, the ciphertext data may be broadcast to the legitimate application in a broadcast form, and the private clipboard is also set on the secure clipboard service and the legitimate application.
  • the data listening operation process monitors the data received by the secure clipboard service or the legitimate application.
  • the system calls back the pause (on Pause) method of the current activity, and pauses the activity of the current application, so that the activity of the current application is suspended.
  • the conversion to the inactive state, at this time, the current legitimate application calls the preset encryption rule to encrypt the private cut data, and the ciphertext data is broadcasted to the secure clipboard service.
  • the broadcast sent by the legitimate application to the secure clipboard includes private cut ciphertext data and information of the group to which the application belongs.
  • the activity recovery (on Resume) method is called back by the system, and at this time, the requester application The program sends a private cut data request broadcast to the secure clipboard service.
  • the method further includes: receiving and monitoring the private cut data sent to the secure clipboard service to obtain a private clip from a legitimate application.
  • the cache notification of the data is cut, and the receiving interception of the private cut data is also set on the legitimate application to receive the private cut data transmission notification from the secure clipboard service.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • FIG. 3 is another method for controlling the access of the clipboard according to the embodiment.
  • the method for the access control of the clipboard provided by the embodiment is described by using the Android system as an example. Proceed as follows:
  • the illegal application 302 acquires the Clipboard Manager object 306 by calling the Get method in the Activity component 303 to implement the operation on the system clipboard.
  • the illegal application 302 creates an object that implements the On Primary Clip Changed Listener interface 305, and rewrites the cut data change notification method in the system clipboard.
  • the illegal application 302 adds the object created in step S313 to the clipboard manager object 306 of the system, so that when the cut data changes, the change notification of the object will be called;
  • the legitimate application 301 uses the private clipboard to perform read and write operations, firstly, the Get method in the Activity component 303 is called to obtain the Clipboard Manager object 306;
  • the legitimate application 301 creates a private cut data object 304, and assigns the private cut data to be written to the private clipboard to the private cut data object 304, wherein the private cut data object 304 is private cut data.
  • the legitimate application 301 redirects the pointer to the Clipboard Manager object 306 to the private clipboard object 307;
  • the legitimate application 301 calls the Set method of the private clipboard object 307 to write the private cut data object 304 created in step S317 into the private clipboard;
  • the legitimate application 301 calls the Get method of the private clipboard object 307 to obtain the private clipping data currently stored in the private clipboard. ;
  • the current legitimate application 301 invokes the encryption method of the encryption rule 308 to encrypt the private cut data in the current private clipboard to generate ciphertext data;
  • the current legitimate application 301 sends a broadcast message to the secure clipboard service 309, where the broadcast message includes the ciphertext data generated in step S322 and the group information and feature information of the current legitimate application;
  • the secure clipboard service 309 receives the message sent in step S323 and stores the ciphertext data of the private cut data locally;
  • the requesting party's legitimate application 301 sends a private cut data request broadcast to the secure clipboard service 309, where the broadcast message includes a request for acquiring the private cut ciphertext data and the group information and the feature information included in step S323;
  • the secure clipboard service 309 performs a permission check on the request in step S326, and determines whether to allow the private cut ciphertext data including the requested ciphertext data to be sent;
  • the secure clipboard service 309 sends the currently stored ciphertext data to the requesting application 301 in the form of a broadcast ciphertext;
  • the requesting party application 301 calls the decryption method of the encryption rule 308 to decrypt the privately cut ciphertext data to obtain a private cut data plaintext;
  • the encryption rule 308 sends the recovered private cut data plaintext to the requesting party's legitimate application 301;
  • the requesting legitimate application 301 writes the private cut data plaintext to its own private clipboard object 307, thereby completing the private cut data data acquisition across the application.
  • a private clipboard and an encryption/decryption rule are set in each legitimate application, and the security cutout service can be a system service shared by the legitimate application, and any legitimate application is Have access rights.
  • the secure clipboard service may also be set in each legitimate application, that is, each legitimate application is provided with its own independent secure clipboard service, when a private clipping is required.
  • each legitimate application first encrypts the private cut data that needs to be sent, and then sends it to the secure clipboard service of the legitimate application itself, and finally the encrypted secret is broadcasted.
  • the text data is broadcast to the required legitimate application; in one embodiment, before the broadcast ciphertext data is sent, the data acquisition request from the requesting application is also required to be received, and the security authentication is performed. If passed, the corresponding data is The ciphertext data is broadcast to the requester application.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • FIG. 4 is a clipboard access control system 40 according to the embodiment.
  • the clipboard access control system includes:
  • a private clipboard setting module 401 configured to set a private clipboard for a legitimate application; in one embodiment, when setting a private clipboard, a private clipboard can be set for each legitimate application for legal purposes.
  • the application stores its own private clipping data.
  • a secure clipboard service setting module 402 configured to set a security clipboard service for the private clipboard
  • the data obtaining module 403 is configured to acquire private cut data of the legitimate application
  • the storage module 404 is configured to store the private cut data into the private clipboard. When each legal application sets its own independent private clipboard, the storage module 404 is specifically used for legal application. The private cut data of the program itself is stored on its own corresponding private clipboard.
  • the receiving module 405 is configured to receive a data acquisition request sent by the requesting application
  • the authentication module 406 is configured to perform security authentication on the data acquisition request.
  • the sending module 407 is configured to: after the authentication module passes the authentication, extract the private cut data requested by the data acquisition request, and send the data to the requester application.
  • the private shearing board is used to store the private clipping data, thereby realizing the isolation of the data storage, and ensuring that the illegal application obtains the private clipping when performing data monitoring on the system clipboard. Cut data and even tamper with the data.
  • the receiving module 405 includes a receiving submodule
  • the sending module 407 includes a sending submodule
  • the receiving submodule is configured to store the private cut data in the storage module 404.
  • the clipboard access control system 40 further includes:
  • the encryption module 408 is configured to perform encryption processing on the private cut data according to a preset encryption rule; the sending module 407 sends the ciphertext data obtained through the encryption process to the requester application;
  • the decryption module 409 is configured to, after the receiving module 405 receives the data acquisition request of the requesting application, the requesting application decrypts the ciphertext data according to a preset encryption rule.
  • the clipboard access control system 40 further includes: a listening module 410, configured to set a security clipboard service for the legitimate application in the private clipboard setting module 401. Then, the private shear data is received and monitored to obtain a private clipboard data transmission notification from the secure clipboard service or the private clipboard.
  • a listening module 410 configured to set a security clipboard service for the legitimate application in the private clipboard setting module 401. Then, the private shear data is received and monitored to obtain a private clipboard data transmission notification from the secure clipboard service or the private clipboard.
  • FIG. 5 is a schematic structural diagram of hardware of a clipboard access control system according to an embodiment of the present invention, including:
  • a processor 510 an input/output interface 530 (such as one or more of a display, a keyboard, a touch screen, a speaker microphone), a storage medium 540, and a network interface 520 (using various wired or wireless communication technologies), components Communication can be connected via system bus 550.
  • an input/output interface 530 such as one or more of a display, a keyboard, a touch screen, a speaker microphone
  • a storage medium 540 such as one or more of a display, a keyboard, a touch screen, a speaker microphone
  • a storage medium 540 such as one or more of a storage medium 540
  • a network interface 520 using various wired or wireless communication technologies
  • the storage medium 540 may be a ROM (eg, a read only memory, a FLASH memory, a transfer device, etc.), a magnetic storage medium (eg, a magnetic tape, a magnetic disk drive, etc.), an optical storage medium (eg, a CD-ROM, a DVD-ROM, a paper card). , a tape, etc., and other well-known types of program memory; the storage medium 540 stores computer-executable instructions that, when executed, cause the processor 510 to perform the scissors shown in any of Figures 1, 2, and 3. Cutting board access control method.
  • ROM read only memory
  • FLASH memory e.g., a FLASH memory, a transfer device, etc.
  • a magnetic storage medium eg, a magnetic tape, a magnetic disk drive, etc.
  • an optical storage medium eg, a CD-ROM, a DVD-ROM, a paper card
  • the storage medium 540 stores computer-executable instructions that, when executed, cause the processor 510 to perform the scissors shown
  • the embodiment of the present invention further provides a non-volatile storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used in at least one of the foregoing mobile terminal anti-error touch methods. , for example, the clipboard access control shown in Figures 1, 2 and 3. At least one of the methods.
  • the storage medium of this embodiment may be a storage medium such as an optical disk, a hard disk, or a magnetic disk, and may be a non-transitory storage medium.
  • modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices.
  • they may be implemented by program code executable by the computing device such that they may be stored in a storage medium (ROM/RAM, diskette, optical disk) by a computing device, and in some cases
  • the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or a plurality of the modules or steps may be implemented as a single integrated circuit module. Therefore, the invention is not limited to any particular combination of hardware and software.
  • the invention discloses a clipboard access control method and system, and a storage medium, which realizes that the pointing of reading data from a legitimate clipboard by a legitimate application is adjusted to read from a private clipboard, thereby blocking illegal application.
  • the program acquires the clipboard data in the legitimate application for the data interception of the system clipboard; receives the data acquisition request sent by the requester application, and checks the permission through the secure clipboard service, and after the pass, the security cutter is
  • the private cut data cached in the board service is sent to the requester application, which solves the security risk of data leakage when the user accesses the clipboard in the BYOD environment, thereby ensuring the security of the cut data. Sex, but also improve the user experience.

Abstract

A method and system for controlling access to a clipboard, and a storage medium. The method comprises: setting a private clipboard (S201) and a secure clipboard service (S202) for a legitimate application; and storing (S204) obtained (S203) private cut data of the legitimate application in the private clipboard. Thus, data read of the legitimate application from a system clipboard is adjusted to data read from the private clipboard, data monitoring of an illegitimate application to the system clipboard is blocked, and clipboard data in the legitimate application is obtained. The method further comprises: receiving a data obtaining request sent by a requester application (S205); performing a secure clipboard service permission check (S206); and after the check is passed, sending private cut data cached in the secure clipboard service to the requester application (S207).

Description

一种剪切板访问控制方法及系统、存储介质Clipboard access control method and system, storage medium 技术领域Technical field
本发明涉及移动终端安全技术,尤其是一种剪切板访问控制方法及系统、存储介质。The invention relates to a mobile terminal security technology, in particular to a clipboard access control method and system, and a storage medium.
背景技术Background technique
随着移动智能技术与智能终端设备的快速发展与广泛应用,其功能也呈现出越来越多样化的趋势,移动应用与服务也日益丰富。Android系统是目前最为流行的智能终端平台,仅Google Play即提供了数量超过100万的Android应用程序。智能终端的广泛应用与移动应用的日益丰富,为其进入移动办公领域提供了可能。自带设备办公(BYOD,Bring Your Own Device)由于具有工作灵活、效率提升以及成本节约等优势,已成为研究的热点与未来企业发展的趋势。With the rapid development and wide application of mobile intelligent technologies and intelligent terminal devices, their functions are also showing more and more diversified trends, and mobile applications and services are also increasingly rich. Android is currently the most popular smart terminal platform, and only Google Play provides more than 1 million Android apps. The widespread use of smart terminals and the increasing use of mobile applications have made it possible to enter the mobile office space. BYOD (Bring Your Own Device) has become a research hotspot and a trend of future enterprise development due to its flexible work, efficiency improvement and cost saving.
然而,也正是由于Android应用的广泛应用,给BYOD技术带来了便利,但其同时也带来了严峻的安全挑战,即企业员工的自有移动终端不可避免地会运行在外部网络环境中,容易遭受恶意攻击,导致敏感信息的泄漏。在所有针对Android系统的恶意攻击中,针对Android剪切板的攻击则利用了Android系统剪切板本身存在的安全缺陷。而在BYOD应用中,Android剪切板存在的漏洞则会导致更大的安全隐患。However, it is precisely because of the wide application of Android applications that it brings convenience to BYOD technology, but it also brings severe security challenges, that is, the employees' own mobile terminals will inevitably run in the external network environment. , vulnerable to malicious attacks, leading to the leakage of sensitive information. In all malicious attacks against the Android system, the attack on the Android clipboard takes advantage of the security flaws inherent in the Android system clipboard. In the BYOD application, the vulnerability of the Android clipboard will lead to greater security risks.
在现有的剪切板访问控制机制中,剪切板具有全局可访问性,也是说所用的应用对剪切板进行访问时是无需权限的,甚至还允许应用通过注册监听器来监视剪切数据的内容变化。当系统中存在非合法应用程序时,该非法应用程序可能会对剪切板的数据监控获取,甚至进行恶意篡改,因此,在BYOD环境下,用户的隐私信息与企业的机密信息均有可能通过剪切板 操作导致信息泄漏。In the existing clipboard access control mechanism, the clipboard has global accessibility, which means that the application used does not require permission to access the clipboard, and even allows the application to monitor the cut by registering the listener. The content of the data changes. When there is an illegal application in the system, the illegal application may obtain data monitoring of the clipboard, or even malicious tampering. Therefore, in the BYOD environment, the user's private information and the company's confidential information may pass. Clipboard The operation caused the information to leak.
因此,为了保证使用剪切板服务,特别是在BYOD环境下使用剪切板服务时,免受恶意攻击以及合法用户的非授权访问,相关技术尚无有效方案来增强Android剪切板的安全性。Therefore, in order to ensure the use of the clipboard service, especially when using the clipboard service in the BYOD environment, from malicious attacks and unauthorized access by legitimate users, there is no effective solution to enhance the security of the Android clipboard. .
发明内容Summary of the invention
本发明实施例提供一种剪切板访问控制方法及系统、存储介质,以解决相关技术中非法应用程序在对系统剪切板数据监听时所导致剪切数据泄漏的技术问题。The embodiment of the invention provides a clipboard access control method and system, and a storage medium, to solve the technical problem that the illegal application in the related art causes leakage data leakage when monitoring data of the system clipboard.
为解决上述技术问题,本发明实施例提供一种剪切板访问控制方法,包括:To solve the above technical problem, an embodiment of the present invention provides a clipboard access control method, including:
为合法应用程序设置私有剪切板;Set up a private clipboard for legitimate applications;
为所述私有剪切板设置安全剪切板服务;Providing a security clipboard service for the private clipboard;
获取所述合法应用程序的私有剪切数据;Obtaining private cut data of the legitimate application;
将所述私有剪切数据存入所述私有剪切板中;Depositing the private cut data into the private clipboard;
接收请求方应用程序发送的数据获取请求;Receiving a data acquisition request sent by the requesting application;
通过所述安全剪切板服务对所述数据获取请求进行安全鉴权;Performing security authentication on the data acquisition request by using the secure clipboard service;
若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。If the authentication is passed, the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
上述方案中,在将所述私有剪切数据存入所述私有剪切板之后,接收请求方应用程序发送的数据获取请求之前,还包括:接收所述合法应用程序发送的数据缓存请求;通过所述安全剪切板服务对所述数据缓存请求进行安全鉴权;若鉴权通过,则从合法应用程序的私有剪切板中提取所述私有剪切数据,并发送至所述安全剪切板服务上进行缓存。In the above solution, after the private cut data is stored in the private clipboard, before receiving the data acquisition request sent by the requesting application, the method further includes: receiving a data cache request sent by the legitimate application; The secure clipboard service securely authenticates the data cache request; if the authentication passes, the private cut data is extracted from a private clipboard of the legitimate application and sent to the secure cut Cache on the board service.
上述方案中,在提取所述私有剪切数据发送至所述安全剪切板服务上进行缓存之后还包括:接收请求方应用程序发送的数据获取请求,从所述 安全剪切板服务中提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。In the above solution, after the extracting the private cut data is sent to the secure clipboard service for caching, the method further includes: receiving a data acquisition request sent by the requester application, from the The private clipboard data requested by the data acquisition request is extracted from the secure clipboard service and sent to the requestor application.
上述方案中,在将所述剪切数据发送给所述安全剪切板之前,还包括:根据预设的加密规则对所述剪切数据进行加密处理;In the above solution, before the sending the cut data to the security clipboard, the method further includes: performing encryption processing on the cut data according to a preset encryption rule;
接收到请求方应用程序的数据获取请求之后,通过所述请求方应用程序根据预设的加密规则,对获取到的密文数据进行解密处理。After receiving the data acquisition request of the requester application, the obtained ciphertext data is decrypted by the requesting application according to a preset encryption rule.
上述方案中,所述为合法应用程序设置私有剪切板包括:为每个合法应用程序设置一个私有剪切板;In the above solution, the setting a private clipboard for a legitimate application includes: setting a private clipboard for each legitimate application;
所述将所述私有剪切数据存入所述私有剪切板中包括:将所述剪切数据存入每个合法应用程序自身的私有剪切板中。The storing the private cut data into the private clipboard includes: storing the cut data in a private clipboard of each legitimate application itself.
上述方案中,所述方法还包括:对所述私有剪切数据进行接收监听,以获取来自于所述合法应用程序或安全剪切板服务的私有剪切板数据发送通知。In the above solution, the method further includes: receiving and monitoring the private cut data to obtain a private clipboard data sending notification from the legitimate application or the secure clipboard service.
本发明实施例还提供了一种剪切板访问控制系统,包括:The embodiment of the invention further provides a clipboard access control system, comprising:
私有剪切板设置模块,配置为为合法应用程序设置私有剪切板,A private clipboard setting module configured to set up a private clipboard for legitimate applications.
安全剪切板服务设置模块,配置为为所述私有剪切板设置安全剪切板服务;a safety clipboard service setting module configured to set a security clipboard service for the private clipboard;
数据获取模块,配置为获取所述合法应用程序的私有剪切数据;a data acquisition module configured to acquire private cut data of the legitimate application;
存储模块,配置为将所述私有剪切数据存入所述私有剪切板中;a storage module configured to store the private cut data in the private clipboard;
接收模块,配置为接收请求方应用程序发送的数据获取请求;a receiving module configured to receive a data acquisition request sent by the requesting application;
鉴权模块,配置为对所述数据获取请求进行安全鉴权;An authentication module configured to perform security authentication on the data acquisition request;
发送模块,配置为在所述检测模块鉴权通过后,提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。And a sending module, configured to: after the authentication module passes the authentication, extract the private cut data requested by the data acquisition request, and send the data to the requestor application.
上述方案中,所述接收模块,还配置为在所述存储模块将所述私有剪切数据存入所述私有剪切板之后,接收所述合法应用程序发送的数据缓存 请求;In the above solution, the receiving module is further configured to: after the storage module stores the private cut data into the private clipboard, receive a data cache sent by the legitimate application. request;
所述鉴权模块,还配置为对所述数据缓存请求进行安全鉴权;The authentication module is further configured to perform security authentication on the data cache request.
所述发送模块,还配置为若所述接收模块鉴权通过,则从所述合法应用程序的私有剪切板中提取所述私有剪切数据,并发送至所述安全剪切板服务上进行缓存。The sending module is further configured to: if the receiving module authenticates, extract the private cut data from the private clipboard of the legitimate application, and send the data to the secure clipboard service. Cache.
上述方案中,所述接收模块包括接收子模块,所述发送模块包括发送子模块;In the above solution, the receiving module includes a receiving submodule, and the sending module includes a sending submodule;
所述接收子模块,配置为在提取所述私有剪切数据发送至所述安全剪切板服务上进行缓存之后,接收请求方应用程序发送的数据获取请求;The receiving submodule is configured to receive a data acquisition request sent by the requesting application after the private shear data is extracted and sent to the secure clipboard service for caching;
所述发送子模块,配置为从所述安全剪切板服务中提取所述数据获取请求所请求的私有剪切数据发送给所述请求方应用程序。The sending submodule is configured to extract private cut data requested by the data acquisition request from the secure clipboard service to the requestor application.
上述方案中,所述系统还包括:In the above solution, the system further includes:
加密模块,配置为根据预设的加密规则对所述剪切数据进行加密处理;The encryption module is configured to perform encryption processing on the cut data according to a preset encryption rule;
解密模块,配置为在所述接收模块接收到请求方应用程序的数据获取请求之后,通过所述请求方应用程序根据预设的加密规则对获取到的密文数据进行解密处理。The decryption module is configured to perform decryption processing on the acquired ciphertext data according to the preset encryption rule by the requesting application after the receiving module receives the data acquisition request of the requesting application.
上述方案中,所述私有剪切板设置模块,还配置为为每个合法应用程序设置一个私有剪切板;In the above solution, the private clipboard setting module is further configured to set a private clipboard for each legitimate application;
所述存储模块将所述私有剪切数据存入所述私有剪切板中包括:将所述剪切数据存入每个合法应用程序自身的私有剪切板中。The storing, by the storage module, the private cut data in the private clipboard includes: storing the cut data in a private clipboard of each legitimate application itself.
上述方案中,所述系统还包括:监听模块,配置为对所述私有剪切数据进行接收监听,以获取来自于所述合法应用程序或安全剪切板服务的私有剪切板数据发送通知。In the above solution, the system further includes: a listening module configured to receive and listen to the private cut data to obtain a private clipboard data sending notification from the legitimate application or the secure clipboard service.
本发明实施例还提供一种剪切板访问控制系统,包括:The embodiment of the invention further provides a clipboard access control system, comprising:
存储器和处理器,所述存储器中存储有可执行指令,用于引起所述处 理器执行以下操作:a memory and a processor, wherein the memory stores executable instructions for causing the location The processor performs the following operations:
为合法应用程序设置私有剪切板;Set up a private clipboard for legitimate applications;
为所述私有剪切板设置安全剪切板服务;Providing a security clipboard service for the private clipboard;
获取所述合法应用程序的私有剪切数据;Obtaining private cut data of the legitimate application;
将所述私有剪切数据存入所述私有剪切板中;Depositing the private cut data into the private clipboard;
接收请求方应用程序发送的数据获取请求;Receiving a data acquisition request sent by the requesting application;
通过所述安全剪切板服务对所述数据获取请求进行安全鉴权;Performing security authentication on the data acquisition request by using the secure clipboard service;
若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。If the authentication is passed, the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
本发明实施例还提供一种存储介质,存储有可执行指令,所述可执行指令用于执行本发明实施例提供的剪切板访问控制方法。The embodiment of the present invention further provides a storage medium, which stores executable instructions, and the executable instructions are used to execute the clipboard access control method provided by the embodiment of the present invention.
本发明实施例的有益效果是:The beneficial effects of the embodiments of the present invention are:
通过为合法应用程序设置私有剪切板,以及设置安全剪切板服务,获取所述合法应用程序的私有剪切数据,并存入所述私有剪切板中,从而有效地阻断了非法应用程序在监听系统剪切板的同时也会对合法应用程序交互的私有剪切数据进行监听;By setting a private clipboard for a legitimate application and setting a secure clipboard service, the private cut data of the legitimate application is obtained and stored in the private clipboard, thereby effectively blocking illegal application. The program also listens to the private clip data of the legitimate application interaction while listening to the system clipboard.
当私有剪切数据需要在合法应用程序之间进行交互时,合法应用程序将私有剪切板数据加密后存储到安全剪切板服务中,请求方应用程序需要向安全剪切板服务发送数据获取请求,安全剪切板对所述数据获取请求进行安全鉴权,若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。When private cut data needs to interact between legitimate applications, the legitimate application encrypts the private clipboard data and stores it in the secure clipboard service. The requester application needs to send data to the secure clipboard service. The request, the secure clipboard performs security authentication on the data acquisition request, and if the authentication passes, extracts the private cut data requested by the data acquisition request, and sends the data to the requestor application.
通过对本发明提供的方法的实施,即使非法应用程序能够监听系统剪切板甚至能够监听到所述合法应用程序之间的私有剪切数据,也无法直接获取到所述私有剪切数据明文数据,从而保证了私有剪切数据的安全性,达到了将所述剪切板的数据隔离与访问控制的目的,同时也提高了用户的 体验效果。By implementing the method provided by the present invention, even if the illegal application can monitor the system clipboard and even listen to the private cut data between the legitimate applications, the private cut data plaintext data cannot be directly obtained. Thereby ensuring the security of the private shear data, achieving the purpose of data isolation and access control of the clipboard, and also improving the user's Experience the effect.
附图说明DRAWINGS
图1为非法应用程序针对剪切板上的私有剪切数据的窃取和篡改攻击的流程图;Figure 1 is a flow chart of an illegal application stealing and tampering attack on private clip data on a clipboard;
图2为本发明实施例一提供的一种剪切板访问控制方法的流程图;2 is a flowchart of a method for controlling access to a clipboard according to Embodiment 1 of the present invention;
图3为本发明实施例二提供的另一种剪切板访问控制方法的流程图;3 is a flowchart of another method for controlling access to a clipboard according to Embodiment 2 of the present invention;
图4为本发明实施例三提供的一种剪切板访问控制系统的结构示意图;4 is a schematic structural diagram of a clipboard access control system according to Embodiment 3 of the present invention;
图5为本发明实施例提供的剪切板访问控制系统的硬件结构示意图。FIG. 5 is a schematic structural diagram of hardware of a clipboard access control system according to an embodiment of the present invention.
具体实施方式detailed description
下面通过具体实施方式结合附图对本发明作进一步详细说明。The present invention will be further described in detail below with reference to the accompanying drawings.
由于在现有的剪切板访问控制机制中,非法应用程序可以通过向Android系统注册系统剪切板数据变更监听器来监视剪切板上数据的变化,从而获得私有剪切数据,导致针对私有剪切数据的窃取和篡改攻击。因而,本发明实施例提供的剪切板访问控制方法,通过设置私有剪切板,安全剪切板服务和对请求应用程序获取数据时进行访问权限的检查,从而实现截断非法应用程序对于合法应用程序的所使用的剪切板的监听,使得这类应用程序无法监视合法应用程序的私有剪切数据的变化,进而阻断对于私有剪切数据的窃取和篡改攻击。In the existing clipboard access control mechanism, the illegal application can monitor the change of the data on the clipboard by registering the system clipboard data change listener with the Android system, thereby obtaining the private cut data, resulting in private Stealing data tampering and tampering attacks. Therefore, the clipboard access control method provided by the embodiment of the present invention implements the interception of an illegal application for a legitimate application by setting a private clipboard, a secure clipboard service, and checking access rights when requesting an application to acquire data. The monitoring of the clipboard used by the program makes it impossible for such applications to monitor changes in the private cut data of legitimate applications, thereby blocking theft and tampering attacks on privately cut data.
本发明实施例提供了一种剪切板访问控制方法,包括:为合法应用程序设置私有剪切板,以及为所述私有剪切板设置安全剪切板服务,获取所述合法应用程序的私有剪切数据,并将所述私有剪切数据存入所述私有剪切板中;当所述合法应用程序需要进行私有剪切数据的交互时,首先接收请求方应用程序向安全剪切板数据发送的数据获取请求,安全剪切板服务对所述数据获取请求进行安全鉴权,若鉴权通过,则将所述私有剪切数据 发送给所述请求方应用程序。值得注意的是:本发明提供的合法应用程序指的是,插装有本发明提供的私有剪切板,安全鉴权的这类应用,而没有插装到的则为非法应用程序;所述安全剪切板服务用于检查应用程序访问剪切板数据的访问权限,以及缓存私有剪切数据。An embodiment of the present invention provides a clipboard access control method, including: setting a private clipboard for a legitimate application, and setting a security clipboard service for the private clipboard to obtain a private application of the legitimate application. Cutting the data and storing the private cut data into the private clipboard; when the legitimate application needs to perform the interaction of the private cut data, first receiving the requester application to the secure clipboard data The sent data acquisition request, the secure clipboard service performs security authentication on the data acquisition request, and if the authentication passes, the private cut data is Sent to the requestor application. It should be noted that the legitimate application provided by the present invention refers to such an application that is inserted with the private clipboard provided by the present invention and is securely authenticated, and is not an illegal application if it is inserted; The Secure Clipboard service is used to check the access rights of the application to access clipboard data, as well as to cache private cut data.
实施例一:Embodiment 1:
请参考图1,非法应用程序针对剪切板上的私有剪切数据的窃取和篡改攻击的流程图,其步骤包括如下:Referring to FIG. 1, a flowchart of an illegal application for stealing and tampering attacks on private clip data on a clipboard includes the following steps:
S111,非法应用程序102通过调用活动(Activity)组件103,如,通过调用活动组件103中的Get方法获取剪切板管理器(Clipboard Manager)对象106,以实现对剪切板的操作;S111. The illegal application 102 acquires a Clipboard Manager object 106 by calling an Activity component 103, for example, by calling the Get method in the Activity component 103 to implement an operation on the Clipboard;
S112,非法应用程序102创建实现剪切板监听器(On Primary Clip Changed Listener)接口105的对象,并重写剪切板中的私有剪切数据变更通知方法;S112, the illegal application 102 creates an object that implements the On Primary Clip Changed Listener interface 105, and rewrites the private cut data change notification method in the clipboard;
S113,非法应用程序102将S112创建的对象加入剪切板管理器对象106,从而,当剪切板的私有剪切数据发生变化时,该对象的更改通知将会被调用;S113, the illegal application 102 adds the object created by S112 to the clipboard manager object 106, so that when the private cut data of the clipboard changes, the change notification of the object will be called;
S114,合法应用程序101使用剪切板进行读写操作,首先须调用Activity组件103中的Get方法获取Clipboard Manager对象106;S114, the legitimate application 101 uses the clipboard to perform read and write operations, firstly, the Get method in the Activity component 103 is called to obtain the Clipboard Manager object 106;
S115,合法应用程序101创建私有剪切数据(Clip Data)对象104,并将待写入剪切板的私有剪切数据赋值给该私有剪切数据对象104,其中,Clip Data对象104为私有剪切数据存取的基本单元;S115, the legitimate application 101 creates a private Clip Data object 104, and assigns the private cut data to be written to the clipboard to the private cut data object 104, wherein the Clip Data object 104 is a private cut. Cutting the basic unit of data access;
S116,合法应用程序101调用Clipboard Manager对象106的Set方法将S115创建的私有剪切数据对象104写入剪切板;S116, the legitimate application 101 calls the Set method of the Clipboard Manager object 106 to write the private cut data object 104 created by S115 to the clipboard;
S117,当接收到私有剪切数据发生变更的通知时,系统回调剪切板管理器对象106中注册的剪切板监听器接口105的相应方法; S117, when receiving the notification that the private cut data is changed, the system calls back a corresponding method of the clipboard listener interface 105 registered in the clipboard manager object 106;
S118:剪切板监听器接口105调用Clipboard Manager对象106的Get方法获取系统剪切板中当前存储的私有剪切数据;S118: The clipboard listener interface 105 calls the Get method of the Clipboard Manager object 106 to obtain the private cut data currently stored in the system clipboard.
S119,Clipboard Manager对象106将私有剪切数据发送给非法应用程序102,从而非法应用程序可以获取当前剪切板存储的私有剪切数据,完成数据窃取攻击;S119, the Clipboard Manager object 106 sends the private cut data to the illegal application 102, so that the illegal application can acquire the private cut data stored by the current clipboard, and complete the data stealing attack;
S120,非法应用程序102可以对获得的私有剪切数据进行篡改,即是写入用于实施攻击的代码命令、脚本等数据;S120. The illegal application 102 may tamper with the obtained private cut data, that is, write code commands, scripts, and the like for implementing the attack;
S121,非法应用程序102调用Clipboard Manager对象106的Set方法将篡改后的数据重新写系统剪切板中,完成数据篡改攻击,进而可以利用篡改后的私有剪切数据实施代码注入等攻击。S121, the illegal application 102 calls the Set method of the Clipboard Manager object 106 to rewrite the falsified data into the system clipboard, completes the data tampering attack, and further implements code injection and the like by using the falsified private clipping data.
需要说明的是,图1中的系统剪切板是没有任何的权限限制的开放性的剪切板,该剪切板暂时保存各个合法应用程序通过复制或剪切操作得到的数据,并且将其提供给相同的或者不相同的应用程序使用,由于非法应用程序也能够在该系统剪切板上注册Clipboard Manager对象来监听私有剪切数据的变化,并且是不需要任何权限就可以访问的,所以各应用程序在该剪切板上存储的数据可以有未授权的其他应用程序获取得到,因此,当通过BYOD环境访问时就会造成数据被泄露的风险。针对于上述问题,本实施例提供了一种剪切板访问控制方法,如图2所示。It should be noted that the system clipboard in FIG. 1 is an open clipboard without any authority restrictions, and the clipboard temporarily stores data obtained by copying or cutting operations of each legitimate application, and Provided for the same or different applications, because the illegal application can also register the Clipboard Manager object on the system clipboard to listen for changes in the private cut data, and can be accessed without any permissions, so The data stored by each application on the clipboard can be obtained by other unauthorized applications, so the risk of data being compromised when accessed through the BYOD environment. In response to the above problem, the embodiment provides a clipboard access control method, as shown in FIG. 2 .
请参考图2,为本实施例提供的剪切板访问控制方法流程图,其具体控制步骤如下:Please refer to FIG. 2 , which is a flowchart of a method for controlling access to a clipboard according to the embodiment. The specific control steps are as follows:
S201,为合法应用程序设置私有剪切板;S201, setting a private clipboard for a legitimate application;
S202,为所述私有剪切板设置安全剪切板服务;S202. Set a security clipboard service for the private clipboard.
S203,获取所述合法应用程序的私有剪切数据;S203. Acquire private cut data of the legal application.
S204,将所述私有剪切数据存入所述私有剪切板中;S204, storing the private cut data into the private clipboard.
S205,接收请求方应用程序发送的数据获取请求; S205. Receive a data acquisition request sent by the requesting application.
S206,通过所述安全剪切板服务对所述数据获取请求进行安全鉴权;S206. Perform security authentication on the data acquisition request by using the secure clipboard service.
S207,若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据发送给所述请求方应用程序。S207. If the authentication is passed, extracting the private cut data requested by the data acquisition request and sending the data to the requestor application.
在本实施例中,为所述合法应用设置私有剪切板,将通过剪切或复制得到的数据转移到所述私有剪切板中,不仅保证数据的复制/粘贴功能的使用,还确保了私有剪切数据的安全,不会被非法应用程序监听窃取。值得注意的是,在本实施例中,可以通过应用程序接口和手工操作可视化控件两种方式来实现对私有剪切板和系统剪切板的调用,但这两种方式最终均是通过Clipboard Manager对象来操作剪切板,故将Android应用中指向Clipboard Manager对象的指针重定向到私有剪切板对象,可有效截断非法应用对于剪切板的监听。In this embodiment, a private clipboard is set for the legal application, and the data obtained by cutting or copying is transferred to the private clipboard, which not only ensures the use of the data copy/paste function, but also ensures the use of the data. The security of privately cut data is not intercepted by illegal applications. It should be noted that in this embodiment, the call to the private clipboard and the system clipboard can be implemented through the application interface and the manual operation of the visual control, but both methods are ultimately through the Clipboard Manager. The object operates the clipboard, so the pointer to the Clipboard Manager object in the Android application is redirected to the private clipboard object, which effectively intercepts the illegal application for the clipboard.
在本实施中,在一个实施例中,在为所述合法应用程序设置私有剪切板时,可以为每个合法应用程序均设置一个私有剪切板,每个合法应用程序获取到剪切数据私有剪切数据后,分别将所述剪切数据私有剪切数据存储到合法应用程序自身的私有剪切板中;值得注意的是,所述私有剪切板的实现为进程私有空间的内存区,只限于当前进程访问,一个进程无法访问其他的进程的私有剪切板,从而实现应用自身的剪切板存取功能,或者是通过硬件的设置特征的内存区域,从而实现剪切板的私有化。In this embodiment, in one embodiment, when a private clipboard is set for the legitimate application, a private clipboard can be set for each legitimate application, and each legitimate application obtains the cut data. After the private data is cut, the cut data private cut data is separately stored in the private clipboard of the legitimate application itself; it is worth noting that the implementation of the private clipboard is the memory area of the process private space. Only for the current process access, a process can not access the private clipboard of other processes, thereby implementing the application's own clipboard access function, or the memory area through the hardware setting feature, thus realizing the private use of the clipboard Chemical.
在一个实施例中,在步骤S202中,为所述私有剪切板设置安全剪切板服务,所述安全剪切板服务用于对所述接收到的数据获取请求进行安全鉴权,还可以用于在合法应用程序之间的数据交互时暂存需要在不同应用之间交互的私有剪切数据,实现数据的安全保护,首先通过所述安全剪切板服务接收所述合法应用程序发送的数据获取请求,然后对所述数据获取请求进行安全鉴权处理;若数据获取请求鉴权通过,则将所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。 In an embodiment, in step S202, a secure clipboard service is provided for the private clipboard, and the secure clipboard service is configured to perform security authentication on the received data acquisition request, and may also For temporarily performing data exchange between legitimate applications, temporarily storing private cut data that needs to be exchanged between different applications, and implementing security protection of the data, first receiving the sent by the legitimate application through the secure clipboard service. The data acquisition request is then subjected to security authentication processing on the data acquisition request; if the data acquisition request is authenticated, the private clipping data requested by the data acquisition request is sent to the requestor application.
在本实施例中,在步骤S204之后,在步骤S205之前,所述方法还包括:接收所述合法应用程序发送的数据缓存请求;通过所述安全剪切板服务对所述数据缓存请求进行安全鉴权;若鉴权通过,则从所述合法应用程序的私有剪切板中提取所述私有剪切数据发送至所述安全剪切板服务上进行缓存。In this embodiment, after step S204, before step S205, the method further includes: receiving a data cache request sent by the legitimate application; and secureing the data cache request by using the secure clipboard service Authentication; if the authentication is passed, the private cut data is extracted from the private clipboard of the legitimate application and sent to the secure clipboard service for caching.
在本实施例中,所提供的剪切板访问控制方法还包括根据预设的加密规则对所述私有剪切数据进行加密处理,也即是说,在将所述私有剪切数据发送出去之前需要进行加密,防止数据被非法应用程序监听到窃取,在一个实施例中,可以根据提供的基于密码分组链接模式的对称加密算法(如中国国家密码局发布的SM4算法)对所述私有剪切数据进行加密,其中其密钥由安全策略所定义的用户组导出。然后在将经过上述加密算法加密所述得到的密文数据发送给请求方应用程序,请求方应用程序接收到密文数据后,根据其加密密钥是对其进行解决处理,就可以得到私有剪切数据明文。In this embodiment, the provided clipboard access control method further includes encrypting the private cut data according to a preset encryption rule, that is, before sending the private cut data. Encryption is required to prevent data from being intercepted by an illegal application. In one embodiment, the private clipping may be performed according to a symmetric encryption algorithm based on a provided cipher packet linking mode (such as the SM4 algorithm issued by the National Cryptographic Office of China). The data is encrypted, where its key is derived from the user group defined by the security policy. Then, the ciphertext data obtained by encrypting the encryption algorithm is sent to the requesting application, and after the requesting application receives the ciphertext data, the ciphertext is solved according to the encryption key, and the private hacker can be obtained. Cut the data in clear text.
在本实施例中,在发送密文数据时,具体可以通过广播的形式将密文数据广播给所述合法应用程序,并且还在所述安全剪切板服务以及合法应用程序上设置接收私有剪切数据的监听操作过程,对安全剪切板服务或合法应用程序接收数据进行监听。In this embodiment, when the ciphertext data is sent, the ciphertext data may be broadcast to the legitimate application in a broadcast form, and the private clipboard is also set on the secure clipboard service and the legitimate application. The data listening operation process monitors the data received by the secure clipboard service or the legitimate application.
在本实施例提供的剪切板访问控制方法中,当在不同合法应用程序之间使用剪切板传递数据时,系统回调当前Activity的暂停(on Pause)方法,暂停当前应用程序的Activity,使之转换为非激活状态,此时,当前合法应用程序调用预设的加密规则对私有剪切数据进行加密,并将密文数据通过广播方式发送至所述安全剪切板服务。In the clipboard access control method provided in this embodiment, when the clipboard is used to transfer data between different legitimate applications, the system calls back the pause (on Pause) method of the current activity, and pauses the activity of the current application, so that the activity of the current application is suspended. The conversion to the inactive state, at this time, the current legitimate application calls the preset encryption rule to encrypt the private cut data, and the ciphertext data is broadcasted to the secure clipboard service.
在本实施例提供的剪切板访问控制方法中,合法应用程序向所述安全剪切板发送的广播中,包含了私有剪切密文数据和应用所属组的信息。 In the clipboard access control method provided in this embodiment, the broadcast sent by the legitimate application to the secure clipboard includes private cut ciphertext data and information of the group to which the application belongs.
在本实施例提供的剪切板访问控制方法中,当私有剪切数据请求方应用程序的Activity转换为激活状态时,其Activity的恢复(on Resume)方法被系统回调,此时,请求方应用程序向所述安全剪切板服务发送私有剪切数据请求广播。In the clipboard access control method provided in this embodiment, when the activity of the private cut data requester application is converted to an active state, the activity recovery (on Resume) method is called back by the system, and at this time, the requester application The program sends a private cut data request broadcast to the secure clipboard service.
在本实施例所提供的剪切板访问控制方法中,还包括:对发送至所述安全剪切板服务上进行缓存的私有剪切数据进行接收监听,以获取来自于合法应用程序的私有剪切数据的缓存通知,同时,在合法应用程序上也设置私有剪切数据的接收监听,以接收来自于安全剪切板服务的私有剪切数据发送通知。In the clipboard access control method provided in this embodiment, the method further includes: receiving and monitoring the private cut data sent to the secure clipboard service to obtain a private clip from a legitimate application. The cache notification of the data is cut, and the receiving interception of the private cut data is also set on the legitimate application to receive the private cut data transmission notification from the secure clipboard service.
实施例二:Embodiment 2:
图3为本实施例提供的另一种剪切板访问控制方法,在本实施例中,所述方法是以Android系统为例,对本实施例提供的剪切板访问控制方法作说明,其具体步骤如下:FIG. 3 is another method for controlling the access of the clipboard according to the embodiment. In this embodiment, the method for the access control of the clipboard provided by the embodiment is described by using the Android system as an example. Proceed as follows:
S311,在安全剪切板服务309上注册广播监听器,处理来自合法应用程序的发送私有剪切数据的请求广播;S311, registering a broadcast listener on the secure clipboard service 309, and processing a request broadcast for sending private cut data from the legitimate application;
S312,非法应用程序302通过调用Activity组件303中的Get方法获取Clipboard Manager对象306,以实现对系统剪切板的操作;S312, the illegal application 302 acquires the Clipboard Manager object 306 by calling the Get method in the Activity component 303 to implement the operation on the system clipboard.
S313,非法应用程序302创建实现On Primary Clip Changed Listener接口305的对象,并重写系统剪切板中的剪切数据变更通知方法;S313, the illegal application 302 creates an object that implements the On Primary Clip Changed Listener interface 305, and rewrites the cut data change notification method in the system clipboard.
S314,非法应用程序302将步骤S313创建的对象加入系统的剪切板管理器对象306,从而,当剪切数据发生变化时,该对象的更改通知将会被调用;S314, the illegal application 302 adds the object created in step S313 to the clipboard manager object 306 of the system, so that when the cut data changes, the change notification of the object will be called;
S315,在合法应用程序301上注册广播监听器,从而可以接收来自安全剪切板服务309的广播消息,该广播消息包括数据缓存请求和私有剪切数据的密文数据; S315, registering a broadcast listener on the legitimate application 301, so that the broadcast message from the secure clipboard service 309 can be received, the broadcast message including the data cache request and the ciphertext data of the private cut data;
S316,合法应用程序301使用私有剪切板进行读写操作,首先须调用Activity组件303中的Get方法获取Clipboard Manager对象306;S316, the legitimate application 301 uses the private clipboard to perform read and write operations, firstly, the Get method in the Activity component 303 is called to obtain the Clipboard Manager object 306;
S317,合法应用程序301创建私有剪切数据对象304,并将待写入私有剪切板的私有剪切数据赋值给私有剪切数据对象304,其中,私有剪切数据对象304为私有剪切数据存取的基本单元;S317, the legitimate application 301 creates a private cut data object 304, and assigns the private cut data to be written to the private clipboard to the private cut data object 304, wherein the private cut data object 304 is private cut data. Basic unit of access;
S318,合法应用程序301将指向Clipboard Manager对象306的指针重定向到私有剪切板对象307;S318, the legitimate application 301 redirects the pointer to the Clipboard Manager object 306 to the private clipboard object 307;
S319,合法应用程序301调用私有剪切板对象307的Set方法将步骤S317创建的私有剪切数据对象304写入私有剪切板中;S319, the legitimate application 301 calls the Set method of the private clipboard object 307 to write the private cut data object 304 created in step S317 into the private clipboard;
S320,正常情况下,当在合法应用程序301内部需要使用剪切板读取数据时,合法应用程序301调用私有剪切板对象307的Get方法获取私有剪切板中当前存储的私有剪切数据;S320. Normally, when the clipboard is used to read data in the legitimate application 301, the legitimate application 301 calls the Get method of the private clipboard object 307 to obtain the private clipping data currently stored in the private clipboard. ;
S321,当Android系统中的合法应用程序进行切换时,即,需要在不同合法应用程序之间使用剪切板传递数据时,系统回调当前Activity组件303的onPause方法,暂停当前应用程序的Activity,使之转换为非激活状态;S321, when the legitimate application in the Android system switches, that is, when the clipboard is used to transfer data between different legitimate applications, the system calls back the onPause method of the current Activity component 303, and suspends the activity of the current application, so that Converted to an inactive state;
S322,当前合法应用程序301调用加密规则308的加密方法对当前私有剪切板中的私有剪切数据进行加密处理,生成密文数据;S322, the current legitimate application 301 invokes the encryption method of the encryption rule 308 to encrypt the private cut data in the current private clipboard to generate ciphertext data;
S323,当前合法应用程序301向安全剪切板服务309发送广播报文,广播报文中含有步骤S322生成的密文数据以及当前合法应用程序的组信息和特征信息;S323, the current legitimate application 301 sends a broadcast message to the secure clipboard service 309, where the broadcast message includes the ciphertext data generated in step S322 and the group information and feature information of the current legitimate application;
S324,安全剪切板服务309接收步骤S323发送的报文并在本地存储私有剪切数据的密文数据;S324, the secure clipboard service 309 receives the message sent in step S323 and stores the ciphertext data of the private cut data locally;
S325,当私有剪切数据请求方的合法应用程序301激活,请求方的合法应用程序301的Activity转换为激活状态时,其Activity组件303的onResume方法被系统回调; S325, when the legitimate application 301 of the private cut data requester is activated, and the activity of the legitimate application 301 of the requester is converted into an active state, the onResume method of the Activity component 303 is called back by the system;
S326,请求方的合法应用程序301向安全剪切板服务309发送私有剪切数据请求广播,广播报文中含有获取私有剪切密文数据的请求以及步骤S323中包含的组信息和特征信息;S326, the requesting party's legitimate application 301 sends a private cut data request broadcast to the secure clipboard service 309, where the broadcast message includes a request for acquiring the private cut ciphertext data and the group information and the feature information included in step S323;
S327,安全剪切板服务309对步骤S326中的请求进行权限检查,决定是否允许发送包含被请求密文数据的私有剪切密文数据;S327, the secure clipboard service 309 performs a permission check on the request in step S326, and determines whether to allow the private cut ciphertext data including the requested ciphertext data to be sent;
S328,若允许,则安全剪切板服务309将当前存储的密文数据以广播密文形式向请求方应用程序301进行发送;S328, if permitted, the secure clipboard service 309 sends the currently stored ciphertext data to the requesting application 301 in the form of a broadcast ciphertext;
S329,请求方应用程序301调用加密规则308的解密方法对私有剪切密文数据进行解密处理,得到私有剪切数据明文;S329, the requesting party application 301 calls the decryption method of the encryption rule 308 to decrypt the privately cut ciphertext data to obtain a private cut data plaintext;
S330,加密规则308将恢复的私有剪切数据明文发送至请求方的合法应用程序301;S330, the encryption rule 308 sends the recovered private cut data plaintext to the requesting party's legitimate application 301;
S331,请求方的合法应用程序301将私有剪切数据明文写入到自身的私有剪切板对象307,从而完成跨应用程序的私有剪切数据数据获取。S331, the requesting legitimate application 301 writes the private cut data plaintext to its own private clipboard object 307, thereby completing the private cut data data acquisition across the application.
值得注意的是,在本实施例中,在每个合法应用程序中均设置有私有剪切板和加/解密规则,安全剪切服务可以合法应用程序共用的一个系统服务,任何合法应用程序均具有访问权限。It should be noted that in this embodiment, a private clipboard and an encryption/decryption rule are set in each legitimate application, and the security cutout service can be a system service shared by the legitimate application, and any legitimate application is Have access rights.
在本实施例中,所述安全剪切板服务也可以是设置于每个合法应用程序中,也即是每个合法应用程序均设置有自己独立的安全剪切板服务,当需要进行私有剪切数据交互时,则每个合法应用程序先将需要发送的私有剪切数据进行加密,然后发送至合法应用程序自身的安全剪切板服务上,最后通过广播的形式将所述加密后的密文数据广播给需要的合法应用程序;在一个实施例中,在发送广播密文数据之前,还需要接收来自请求方应用程序的数据获取请求,并进行安全鉴权,若通过,则将对应的密文数据广播给请求方应用程序。In this embodiment, the secure clipboard service may also be set in each legitimate application, that is, each legitimate application is provided with its own independent secure clipboard service, when a private clipping is required. When the data exchange is performed, each legitimate application first encrypts the private cut data that needs to be sent, and then sends it to the secure clipboard service of the legitimate application itself, and finally the encrypted secret is broadcasted. The text data is broadcast to the required legitimate application; in one embodiment, before the broadcast ciphertext data is sent, the data acquisition request from the requesting application is also required to be received, and the security authentication is performed. If passed, the corresponding data is The ciphertext data is broadcast to the requester application.
实施例三: Embodiment 3:
图4为本实施例提供的剪切板访问控制系统40,在本实施中国,所述剪切板访问控制系统包括:FIG. 4 is a clipboard access control system 40 according to the embodiment. In the present embodiment, the clipboard access control system includes:
私有剪切板设置模块401,配置为为合法应用程序设置私有剪切板;在一个实施例中,在设置私有剪切板时,具体可以为每个合法应用程序设置一个私有剪切板供合法应用程序存储自身的私有剪切数据。A private clipboard setting module 401 configured to set a private clipboard for a legitimate application; in one embodiment, when setting a private clipboard, a private clipboard can be set for each legitimate application for legal purposes. The application stores its own private clipping data.
安全剪切板服务设置模块402,配置为为所述私有剪切板设置安全剪切板服务;a secure clipboard service setting module 402 configured to set a security clipboard service for the private clipboard;
数据获取模块403,配置为获取所述合法应用程序的私有剪切数据;The data obtaining module 403 is configured to acquire private cut data of the legitimate application;
存储模块404,配置为将所述私有剪切数据存入所述私有剪切板中;当每个合法应用程序都设置自己独立的私有剪切板时,所述存储模块404具体为将合法应用程序自身的私有剪切数据存储于自身对应的私有剪切板上。The storage module 404 is configured to store the private cut data into the private clipboard. When each legal application sets its own independent private clipboard, the storage module 404 is specifically used for legal application. The private cut data of the program itself is stored on its own corresponding private clipboard.
接收模块405,配置为接收请求方应用程序发送的数据获取请求;The receiving module 405 is configured to receive a data acquisition request sent by the requesting application;
鉴权模块406,配置为对所述数据获取请求进行安全鉴权;The authentication module 406 is configured to perform security authentication on the data acquisition request.
发送模块407,配置为在所述检测模块鉴权通过后,提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。The sending module 407 is configured to: after the authentication module passes the authentication, extract the private cut data requested by the data acquisition request, and send the data to the requester application.
在本实施例中,通过设置私有剪切板进行对私有剪切数据的存储,实现了对数据存储的隔离,保证了非法应用程序在对系统剪切板进行数据监听时,会获取到私有剪切数据,甚至对数据进行窃取篡改。In this embodiment, the private shearing board is used to store the private clipping data, thereby realizing the isolation of the data storage, and ensuring that the illegal application obtains the private clipping when performing data monitoring on the system clipboard. Cut data and even tamper with the data.
在本实施例中,所述接收模块405包括接收子模块,所述发送模块407包括发送子模块,所述接收子模块配置为在所述存储模块404将所述私有剪切数据存入所述私有剪切板之后,在所述接收模块405接收请求方应用程序发送的数据获取请求之前,接收所述合法应用程序发送的数据发送请求数据缓存请求;所述鉴权模块406对所述数据发送请求数据缓存请求进行安全鉴权;若鉴权通过,则所述发送子模块从所述私有剪切板中提取所 述私有剪切数据发送至所述安全剪切板服务上进行缓存。In this embodiment, the receiving module 405 includes a receiving submodule, and the sending module 407 includes a sending submodule, and the receiving submodule is configured to store the private cut data in the storage module 404. After the private clipboard is received, before the receiving module 405 receives the data acquisition request sent by the requesting application, receiving a data transmission request data cache request sent by the legitimate application; the authentication module 406 sends the data to the data Requesting a data cache request for security authentication; if the authentication is passed, the sending submodule extracts from the private clipboard The private cut data is sent to the secure clipboard service for caching.
在本实施例中,所述剪切板访问控制系统40还包括:In this embodiment, the clipboard access control system 40 further includes:
加密模块408,配置为根据预设的加密规则对所述私有剪切数据进行加密处理;所述发送模块407将通过加密处理所得到的密文数据发送给所述请求方应用程序;The encryption module 408 is configured to perform encryption processing on the private cut data according to a preset encryption rule; the sending module 407 sends the ciphertext data obtained through the encryption process to the requester application;
解密模块409,配置为在所述接收模块405接收到请求方应用程序的数据获取请求之后,所述请求方应用程序根据预设的加密规则对所述密文数据进行解密处理。The decryption module 409 is configured to, after the receiving module 405 receives the data acquisition request of the requesting application, the requesting application decrypts the ciphertext data according to a preset encryption rule.
在本实施例中,所述剪切板访问控制系统40还包括:监听模块410,所述监听模块410,配置为在私有剪切板设置模块401为所述合法应用程序设置安全剪切板服务之后,对所述私有剪切数据进行接收监听,以获取来自于安全剪切板服务或私有剪切板上的私有剪切板数据发送通知。In this embodiment, the clipboard access control system 40 further includes: a listening module 410, configured to set a security clipboard service for the legitimate application in the private clipboard setting module 401. Then, the private shear data is received and monitored to obtain a private clipboard data transmission notification from the secure clipboard service or the private clipboard.
图5为本发明实施例提供的剪切板访问控制系统的硬件结构示意图,包括:FIG. 5 is a schematic structural diagram of hardware of a clipboard access control system according to an embodiment of the present invention, including:
包括处理器510、输入/输出接口530(例如显示器、键盘、触摸屏、扬声器麦克风中的一个或多个),存储介质540以及网络接口520(使用各种有线方式或无线方式的通信技术),组件可以经系统总线550连接通信。A processor 510, an input/output interface 530 (such as one or more of a display, a keyboard, a touch screen, a speaker microphone), a storage medium 540, and a network interface 520 (using various wired or wireless communication technologies), components Communication can be connected via system bus 550.
存储介质540可以为ROM(例如,只读存储器、FLASH存储器、转移装置等)、磁存储介质(例如,磁带、磁盘驱动器等)、光学存储介质(例如,CD-ROM、DVD-ROM、纸卡、纸带等)以及其他熟知类型的程序存储器;存储介质540中存储有计算机可执行指令,当执行指令时,引起处理器510执行图1、图2和图3任一附图所示的剪切板访问控制方法。The storage medium 540 may be a ROM (eg, a read only memory, a FLASH memory, a transfer device, etc.), a magnetic storage medium (eg, a magnetic tape, a magnetic disk drive, etc.), an optical storage medium (eg, a CD-ROM, a DVD-ROM, a paper card). , a tape, etc., and other well-known types of program memory; the storage medium 540 stores computer-executable instructions that, when executed, cause the processor 510 to perform the scissors shown in any of Figures 1, 2, and 3. Cutting board access control method.
本发明实施例还提供一种非易失性的存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于前述移动终端防误触控方法的至少其中之一,例如,图1、图2和图3所示剪切板访问控制 方法的至少其中之一。本实施例的存储介质可为光盘、硬盘或磁盘等存储介质,可选为非瞬间存储介质。The embodiment of the present invention further provides a non-volatile storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used in at least one of the foregoing mobile terminal anti-error touch methods. , for example, the clipboard access control shown in Figures 1, 2 and 3. At least one of the methods. The storage medium of this embodiment may be a storage medium such as an optical disk, a hard disk, or a magnetic disk, and may be a non-transitory storage medium.
综上可知,通过本发明实施例,至少存在以下有益效果:In summary, through the embodiments of the present invention, at least the following beneficial effects exist:
为合法应用设置私有剪切板,以及设置安全剪切板服务,然后获取所述合法应用程序的私有剪切数据,并存储在所述私有剪切板中,当有其他应用需要获取该私有剪切数据时,需要通过发送数据获取请求,并且进行权限检查,若通过了,才能进行数据的访问获取,这样使得本发明提供的方法能够有效地截断非法应用程序对私有剪切数据的监听,避免了私有剪切数据被窃取的危险情况,解决了用户在BYOD环境下对剪切板进行数据访问时,存在数据泄露的安全隐患,同时增强了用户在BYOD环境使用应用程序的体验。Setting a private clipboard for a legitimate application, and setting a secure clipboard service, and then acquiring private cut data of the legitimate application, and storing it in the private clipboard, when other applications need to obtain the private clipboard When the data is cut, the data acquisition request needs to be sent, and the permission check is performed. If the data is obtained, the access of the data can be obtained, so that the method provided by the present invention can effectively intercept the interception of the privately-cut data by the illegal application and avoid The dangerous situation that the private cut data is stolen solves the security risk of data leakage when the user accesses the clipboard in the BYOD environment, and enhances the user experience of using the application in the BYOD environment.
显然,本领域的技术人员应该明白,上述本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储介质(ROM/RAM、磁碟、光盘)中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。所以,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in a storage medium (ROM/RAM, diskette, optical disk) by a computing device, and in some cases The steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into individual integrated circuit modules, or a plurality of the modules or steps may be implemented as a single integrated circuit module. Therefore, the invention is not limited to any particular combination of hardware and software.
以上内容是结合具体的实施方式对本发明所作的进一步详细说明,不能认定本发明的具体实施只局限于这些说明。对于本发明所属技术领域的普通技术人员来说,在不脱离本发明构思的前提下,还可以做出若干简单推演或替换,都应当视为属于本发明的保护范围。 The above is a further detailed description of the present invention in connection with the specific embodiments, and the specific embodiments of the present invention are not limited to the description. It will be apparent to those skilled in the art that the present invention may be made without departing from the spirit and scope of the invention.
工业实用性Industrial applicability
本发明公开了一种剪切板访问控制方法及系统、存储介质,实现了将合法应用程序从系统剪切板读取数据的指向调整到从私有剪切板读取,从而阻断了非法应用程序对系统剪切板的数据监听而获取到合法应用中的剪切板数据;通过接收请求方应用程序发送的数据获取请求,并通过安全剪切板服务检查权限,在通过后,将安全剪切板服务中缓存的私有剪切数据发送给所述请求方应用程序,解决了用户在BYOD环境下对剪切板进行数据访问时,存在数据泄露的安全隐患,从而保证了剪切数据的安全性,同时也提高了用户的体验效果。 The invention discloses a clipboard access control method and system, and a storage medium, which realizes that the pointing of reading data from a legitimate clipboard by a legitimate application is adjusted to read from a private clipboard, thereby blocking illegal application. The program acquires the clipboard data in the legitimate application for the data interception of the system clipboard; receives the data acquisition request sent by the requester application, and checks the permission through the secure clipboard service, and after the pass, the security cutter is The private cut data cached in the board service is sent to the requester application, which solves the security risk of data leakage when the user accesses the clipboard in the BYOD environment, thereby ensuring the security of the cut data. Sex, but also improve the user experience.

Claims (14)

  1. 一种剪切板访问控制方法,包括:A clipboard access control method includes:
    为合法应用程序设置私有剪切板;Set up a private clipboard for legitimate applications;
    为所述私有剪切板设置安全剪切板服务;Providing a security clipboard service for the private clipboard;
    获取所述合法应用程序的私有剪切数据;Obtaining private cut data of the legitimate application;
    将所述私有剪切数据存入所述私有剪切板中;Depositing the private cut data into the private clipboard;
    接收请求方应用程序发送的数据获取请求;Receiving a data acquisition request sent by the requesting application;
    通过所述安全剪切板服务对所述数据获取请求进行安全鉴权;Performing security authentication on the data acquisition request by using the secure clipboard service;
    若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。If the authentication is passed, the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
  2. 如权利要求1所述的剪切板访问控制方法,其中,在将所述私有剪切数据存入所述私有剪切板之后,接收请求方应用程序发送的数据获取请求之前,还包括:The clipboard access control method according to claim 1, wherein, after the private cut data is stored in the private clipboard, before receiving the data acquisition request sent by the requesting application, the method further includes:
    接收所述合法应用程序发送的数据缓存请求;通过所述安全剪切板服务对所述数据缓存请求进行安全鉴权;若鉴权通过,则从所述合法应用程序的私有剪切板中提取所述私有剪切数据,并发送至所述安全剪切板服务上进行缓存。Receiving a data cache request sent by the legitimate application; performing security authentication on the data cache request by using the secure clipboard service; and if the authentication is passed, extracting from the private clipboard of the legitimate application The private cut data is sent to the secure clipboard service for caching.
  3. 如权利要求2所述的剪切板访问控制方法,其中,在提取所述私有剪切数据发送至所述安全剪切板服务上进行缓存之后,还包括:The clipboard access control method of claim 2, wherein after the extracting the private cut data is sent to the secure clipboard service for caching, the method further comprises:
    接收所述请求方应用程序发送的数据获取请求,从所述安全剪切板服务中提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。Receiving a data acquisition request sent by the requestor application, extracting private cut data requested by the data acquisition request from the secure clipboard service, and transmitting the data to the requestor application.
  4. 如权利要求3所述的剪切板访问控制方法,其中,在将所述剪切数据发送给所述安全剪切板之前,还包括:The clipboard access control method according to claim 3, further comprising: before transmitting the cut data to the secure clipboard:
    根据预设的加密规则对所述剪切数据进行加密处理; Encrypting the cut data according to a preset encryption rule;
    接收到所述请求方应用程序的数据获取请求之后,通过所述请求方应用程序根据预设的加密规则,对获取到的密文数据进行解密处理。After receiving the data acquisition request of the requester application, the obtained ciphertext data is decrypted by the requesting application according to a preset encryption rule.
  5. 如权利要求1-4任一项所述的剪切板访问控制方法,其中,A clipboard access control method according to any one of claims 1 to 4, wherein
    所述为合法应用程序设置私有剪切板包括:The setting of a private clipboard for a legitimate application includes:
    为每个合法应用程序设置一个私有剪切板;Set a private clipboard for each legitimate application;
    所述将所述私有剪切数据存入所述私有剪切板中包括:The storing the private cut data into the private clipboard includes:
    将所述剪切数据存入每个合法应用程序自身的私有剪切板中。The cut data is stored in the private clipboard of each legitimate application itself.
  6. 如权利要求5所述的剪切板访问控制方法,其中,还包括:The clipboard access control method according to claim 5, further comprising:
    对所述私有剪切数据进行接收监听,以获取来自于所述合法应用程序或安全剪切板服务的私有剪切板数据发送通知。Receiving and listening to the private cut data to obtain a private clipboard data transmission notification from the legitimate application or the secure clipboard service.
  7. 一种剪切板访问控制系统,包括:A clipboard access control system comprising:
    私有剪切板设置模块,配置为为合法应用程序设置私有剪切板,A private clipboard setting module configured to set up a private clipboard for legitimate applications.
    安全剪切板服务设置模块,配置为为所述私有剪切板设置安全剪切板服务;a safety clipboard service setting module configured to set a security clipboard service for the private clipboard;
    数据获取模块,配置为获取所述合法应用程序的私有剪切数据;a data acquisition module configured to acquire private cut data of the legitimate application;
    存储模块,配置为将所述私有剪切数据存入所述私有剪切板中;a storage module configured to store the private cut data in the private clipboard;
    接收模块,配置为接收请求方应用程序发送的数据获取请求;a receiving module configured to receive a data acquisition request sent by the requesting application;
    鉴权模块,配置为对所述数据获取请求进行安全鉴权;An authentication module configured to perform security authentication on the data acquisition request;
    发送模块,配置为在所述检测模块鉴权通过后,提取所述数据获取请求所请求的私有剪切数据发送给所述请求方应用程序。The sending module is configured to: after the authentication module passes the authentication, extract the private cut data requested by the data obtaining request and send the data to the requesting application.
  8. 如权利要求7所述的剪切板访问控制系统,其中,A clipboard access control system according to claim 7, wherein
    所述接收模块,还配置为在所述存储模块将所述私有剪切数据存入所述私有剪切板之后,接收所述合法应用程序发送的数据缓存请求;The receiving module is further configured to: after the storage module stores the private cut data into the private clipboard, receive a data cache request sent by the legitimate application;
    所述鉴权模块,还配置为对所述数据缓存请求进行安全鉴权;The authentication module is further configured to perform security authentication on the data cache request.
    所述发送模块,还配置为若所述接收模块鉴权通过,则从所述合法应 用程序的私有剪切板中提取所述私有剪切数据,并发送至所述安全剪切板服务上进行缓存。The sending module is further configured to: if the receiving module authenticates, pass the legal response The private cut data is extracted from the private clipboard of the program and sent to the secure clipboard service for caching.
  9. 如权利要求8所述的剪切板访问控制系统,其中,所述接收模块包括接收子模块,所述发送模块包括发送子模块;The clipboard access control system according to claim 8, wherein the receiving module comprises a receiving submodule, and the transmitting module comprises a transmitting submodule;
    所述接收子模块,配置为在提取所述私有剪切数据发送至所述安全剪切板服务上进行缓存之后,接收所述请求方应用程序发送的数据获取请求;The receiving submodule is configured to receive a data acquisition request sent by the requesting application after extracting the private cut data to be sent to the secure clipboard service for caching;
    所述发送子模块,配置为从所述安全剪切板服务中提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。The sending submodule is configured to extract private cut data requested by the data acquisition request from the secure clipboard service and send the data to the requestor application.
  10. 如权利要求9所述的剪切板访问控制系统,其中,还包括:The clipboard access control system of claim 9 further comprising:
    加密模块,配置为根据预设的加密规则对所述私有剪切数据进行加密处理;The encryption module is configured to perform encryption processing on the private cut data according to a preset encryption rule;
    解密模块,配置为在所述接收模块接收到所述请求方应用程序的数据获取请求之后,通过所述请求方应用程序根据预设的加密规则,对获取到的密文数据进行解密处理。The decryption module is configured to perform decryption processing on the acquired ciphertext data according to the preset encryption rule by the requesting application after the receiving module receives the data acquisition request of the requester application.
  11. 如权利要求7-10所述的剪切板访问控制系统,其中,A clipboard access control system according to any of claims 7-10, wherein
    所述私有剪切板设置模块,还配置为为每个合法应用程序设置一个私有剪切板;The private clipboard setting module is further configured to set a private clipboard for each legitimate application;
    所述存储模块,还配置为将所述剪切数据存入每个合法应用程序自身的私有剪切板中。The storage module is further configured to store the cut data in a private clipboard of each legitimate application itself.
  12. 如权利要求11所述的剪切板访问控制系统,其中,还包括:The clipboard access control system of claim 11 further comprising:
    监听模块,配置为对所述私有剪切数据进行接收监听,以获取来自于所述合法应用程序或安全剪切板服务的私有剪切板数据发送通知。The listening module is configured to receive and listen to the private cut data to obtain a private clipboard data sending notification from the legitimate application or the secure clipboard service.
  13. 一种剪切板访问控制系统,包括:A clipboard access control system comprising:
    存储器和处理器,所述存储器中存储有可执行指令,用于引起所述处理器执行以下操作: a memory and a processor, wherein the memory stores executable instructions for causing the processor to perform the following operations:
    为合法应用程序设置私有剪切板;Set up a private clipboard for legitimate applications;
    为所述私有剪切板设置安全剪切板服务;Providing a security clipboard service for the private clipboard;
    获取所述合法应用程序的私有剪切数据;Obtaining private cut data of the legitimate application;
    将所述私有剪切数据存入所述私有剪切板中;Depositing the private cut data into the private clipboard;
    接收请求方应用程序发送的数据获取请求;Receiving a data acquisition request sent by the requesting application;
    通过所述安全剪切板服务对所述数据获取请求进行安全鉴权;Performing security authentication on the data acquisition request by using the secure clipboard service;
    若鉴权通过,则提取所述数据获取请求所请求的私有剪切数据,并发送给所述请求方应用程序。If the authentication is passed, the private cut data requested by the data acquisition request is extracted and sent to the requestor application.
  14. 一种存储介质,存储有可执行指令,所述可执行指令用于执行权利要求1至6任一项所述的剪切板访问控制方法。 A storage medium storing executable instructions for performing the clipboard access control method according to any one of claims 1 to 6.
PCT/CN2017/076858 2016-03-22 2017-03-15 Method and system for controlling access to clipboard, and storage medium WO2017162081A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610165291.9 2016-03-22
CN201610165291.9A CN107220555B (en) 2016-03-22 2016-03-22 Clipboard access control method and system

Publications (1)

Publication Number Publication Date
WO2017162081A1 true WO2017162081A1 (en) 2017-09-28

Family

ID=59899264

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/076858 WO2017162081A1 (en) 2016-03-22 2017-03-15 Method and system for controlling access to clipboard, and storage medium

Country Status (2)

Country Link
CN (1) CN107220555B (en)
WO (1) WO2017162081A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111782424A (en) * 2020-07-03 2020-10-16 厦门美图之家科技有限公司 Data processing method and device, electronic equipment and storage medium
CN112463402A (en) * 2020-11-03 2021-03-09 浙江华途信息安全技术股份有限公司 Clipboard control method and system based on macOS operating system
CN113806714A (en) * 2020-06-14 2021-12-17 武汉斗鱼鱼乐网络科技有限公司 Safe transmission method and device for white list information of application program
WO2022196931A1 (en) * 2021-03-15 2022-09-22 삼성전자주식회사 Method for controlling clipboard and electronic device for performing same method
WO2024037360A1 (en) * 2022-08-16 2024-02-22 华为技术有限公司 Privacy protection method and related device

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108205631A (en) * 2017-12-27 2018-06-26 新华三技术有限公司 A kind of content copying methods and device
CN109117670A (en) * 2018-08-16 2019-01-01 海南新软软件有限公司 A kind of realization shear plate data encryption and decryption method, apparatus and hardware device
CN109255598A (en) * 2018-09-25 2019-01-22 海南新软软件有限公司 Reminding method, device and terminal are distorted in a kind of digital asset address
CN109543402A (en) * 2018-11-06 2019-03-29 北京指掌易科技有限公司 A kind of duplication stickup guard method based on Android application
CN111581665B (en) * 2020-05-09 2021-07-06 维沃移动通信有限公司 Data processing method and device and electronic equipment
CN112270004B (en) * 2020-10-28 2022-05-06 维沃移动通信有限公司 Content encryption method and device and electronic equipment
CN113360226A (en) * 2021-05-26 2021-09-07 Oppo广东移动通信有限公司 Data content processing method, device, terminal and storage medium
CN113885999A (en) * 2021-10-22 2022-01-04 广州九尾信息科技有限公司 Clipboard GUI management tool and method based on mac OS platform
CN114356614B (en) * 2022-03-17 2022-06-10 北京蔚领时代科技有限公司 Shear plate data isolation method and device
CN114945176B (en) * 2022-04-12 2023-05-30 荣耀终端有限公司 Clipboard access control method, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016771A1 (en) * 2005-07-11 2007-01-18 Simdesk Technologies, Inc. Maintaining security for file copy operations
CN1924814A (en) * 2005-08-30 2007-03-07 国际商业机器公司 Control method of application program and apparatus therefor
CN101114319A (en) * 2006-07-28 2008-01-30 上海山丽信息安全有限公司 Shear plate information protecting equipment and method thereof
CN101278281A (en) * 2005-10-03 2008-10-01 微软公司 Distributed clipboard

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201110769D0 (en) * 2011-06-24 2011-08-10 Appsense Ltd Improvements in and relating to cut/copy and paste functionality
CN102609642A (en) * 2012-01-09 2012-07-25 中标软件有限公司 Clipboard control method and clipboard control system
CN103019814B (en) * 2012-11-21 2016-03-30 北京荣之联科技股份有限公司 A kind of shear plate management system and method
WO2014110057A1 (en) * 2013-01-08 2014-07-17 Good Technology Corporation Clipboard management
CN104268479B (en) * 2014-09-29 2017-03-01 北京奇虎科技有限公司 A kind of method of text maninulation isolation, device and mobile terminal
CN105389216A (en) * 2015-12-15 2016-03-09 联想(北京)有限公司 Clipboard data caching method and apparatus and electronic device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070016771A1 (en) * 2005-07-11 2007-01-18 Simdesk Technologies, Inc. Maintaining security for file copy operations
CN1924814A (en) * 2005-08-30 2007-03-07 国际商业机器公司 Control method of application program and apparatus therefor
CN101278281A (en) * 2005-10-03 2008-10-01 微软公司 Distributed clipboard
CN101114319A (en) * 2006-07-28 2008-01-30 上海山丽信息安全有限公司 Shear plate information protecting equipment and method thereof

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113806714A (en) * 2020-06-14 2021-12-17 武汉斗鱼鱼乐网络科技有限公司 Safe transmission method and device for white list information of application program
CN111782424A (en) * 2020-07-03 2020-10-16 厦门美图之家科技有限公司 Data processing method and device, electronic equipment and storage medium
CN112463402A (en) * 2020-11-03 2021-03-09 浙江华途信息安全技术股份有限公司 Clipboard control method and system based on macOS operating system
WO2022196931A1 (en) * 2021-03-15 2022-09-22 삼성전자주식회사 Method for controlling clipboard and electronic device for performing same method
WO2024037360A1 (en) * 2022-08-16 2024-02-22 华为技术有限公司 Privacy protection method and related device

Also Published As

Publication number Publication date
CN107220555A (en) 2017-09-29
CN107220555B (en) 2022-04-19

Similar Documents

Publication Publication Date Title
WO2017162081A1 (en) Method and system for controlling access to clipboard, and storage medium
US11848753B2 (en) Securing audio communications
US10360369B2 (en) Securing sensor data
US20190036693A1 (en) Controlled access to data in a sandboxed environment
KR101894232B1 (en) Method and apparatus for cloud-assisted cryptography
CN109587101B (en) Digital certificate management method, device and storage medium
US9202076B1 (en) Systems and methods for sharing data stored on secure third-party storage platforms
US9203815B1 (en) Systems and methods for secure third-party data storage
CN113849847B (en) Method, apparatus and medium for encrypting and decrypting sensitive data
WO2015117523A1 (en) Access control method and device
WO2017166362A1 (en) Esim number writing method, security system, esim number server, and terminal
WO2023155696A1 (en) Database operation method and system, and storage medium and computer terminal
CN109344632A (en) A kind of OPENSTACK volumes of encryption method based on hardware encryption card
KR20160146623A (en) A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal
WO2017020449A1 (en) Fingerprint reading method and user equipment
US11340801B2 (en) Data protection method and electronic device implementing data protection method
CN102780812A (en) Method and system for achieving safe input by using mobile terminal
CN106992976B (en) Network security management method and server
KR101703847B1 (en) A Method for securing contents in mobile environment, Recording medium for storing the method, and Security sytem for mobile terminal
CN111181952A (en) Password protection method and device of mobile application program and computer storage medium
GB2608435A (en) System and method for managing transparent data encryption of database
CN116488830A (en) Device access authentication method, device, system, electronic device and storage medium
CN116089927A (en) Password protection method and device, electronic equipment and storage medium
CN115622781A (en) SDN-based data security transmission method, device, equipment and storage medium
TW201626282A (en) System and method for securing file access

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17769358

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17769358

Country of ref document: EP

Kind code of ref document: A1