WO2019127468A1 - Grouped application using same key for sharing data - Google Patents

Abstract

The present application relates to the technical field of communications and provides a data processing method and a terminal, for improving the security of data in an application in a terminal. The method is applied to the terminal, and a first application process, a second application process, and a key management process run on the terminal. The method specifically comprises: the second application process sends an access request to the first application process, the access request being used for requesting access to third data of the first application process; the key management process receives a decryption request for requesting decrypting the third data; the key management process determines whether the second application process is in a process group where the first application process is according to the decryption request, if yes, the key management process uses a decryption key corresponding to the process group for decrypting the third data to obtain fourth data, and returns to the fourth data, and if not, the key management process does not perform decryption, and returns the third data.

Description

Grouped apps share data using the same key Technical field

The present application relates to the field of communications technologies, and in particular, to a data processing method and terminal.

Background technique

Each application on the terminal runs in its own separate process space, and the data and functions of each process are isolated from each other. If communication is required between processes, the accessed process must first perform permission checking on the access process. If the verification succeeds, indicating that the access process has access rights, the access process is allowed to access. Otherwise, it indicates that the access process does not have access rights, and the access process is not allowed to access.

It can be seen that the current terminal uses a permission mechanism to ensure communication security between processes. However, in the process of being authorized by the access process, it is easy to cause a misauthorization. For example, a user may be induced to install a virus application and authorize a virus application. Then, the virus application can be verified by the permissions of other processes (accessed processes), that is, the data of other applications can be arbitrarily accessed, or even the key information, which may cause harm to the user.

Summary of the invention

The data processing method and terminal provided by the application can improve data security in an application process on the terminal.

In a first aspect, a data processing method provided by the present application is applicable to a terminal, where the terminal runs a first application process, a second application process, and a key management process. The method specifically includes: the second application process sending an access request to the first application process, the access request is used to request access to the third data of the first application process; and the key management process receives a decryption request requesting decryption of the third data; If the key management process determines that the second application process is in the process group in which the first application process is located, the key management process decrypts the third data by using the decryption key corresponding to the process group in which the first application process is located. Fourth data; in response to the decryption request, the key management process returns the fourth data.

Wherein the terminal has N process packets; each of the N process packets includes at least one process, and at least one process packet includes two or more processes; wherein N is an integer greater than 1 or equal to 1; N process packets correspond to M decryption keys, and each process packet corresponds to one decryption key; wherein M is a positive integer, N>=M.

The first application process is one of the processes running by the first application, and the first application may be any application on the terminal, and is a program and a data set that can perform certain business functions, for example, a short message application, a US group application, Taobao applications, etc.

The second application process may be another process in the first application, different from the first application process, the second application process may also be a process in the second application, and the second application is different from the second application. .

In some embodiments, the second application process needs to obtain permission to access the first application process in advance.

In some embodiments, the first data may be data that needs to be encrypted, for example, data determined according to the first application process or the service nature of the first application, for example, may be important in the first application process or the first application, Critical, sensitive data.

In some embodiments, the key management module determines, according to the service type of the third application process, or the download source, the packet corresponding to the third application process, and associates the identifier of the third application process with the group identifier, and Save it locally.

It can be seen that, when the second application process and the first application process belong to the same process group, the key management process decrypts the third data by using the decryption key corresponding to the process group in which the first application process is located, so that the second application process obtains The third data after decryption, that is, the fourth data. When the second application process and the first application process belong to the same process group, the data of the first application process can be accessed, which is beneficial to improving data security in the first application process.

In one possible design, the key management process receives a decryption request requesting decryption of the third data, specifically for the key management process to receive a decryption request sent by the first application process according to the access request. The key management process returns the fourth data specifically: the key management process returns the fourth data to the first application process. The first application process sends the fourth data to the second application process.

It can be seen that the terminal may be the second application process accessing the first application process, and the first application process requests the key management process to decrypt the third data. After the third data is decrypted by the key management process, the decrypted third data, that is, the fourth data, may be sent to the second application process by using the first application process. Therefore, the embodiment of the present application provides a method for a second application process to access third data of a first application process.

In a possible design, if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the first application process; The second application process sends the third data.

It can be seen that, when the second application process and the first application process are not in the same process grouping, the key management process does not decrypt the third data, and the third data is directly sent to the second application process by using the first application process. Conducive to including the data security of the first application process.

In a possible design, if the second application process is not in the packet, the key management module may directly reject the decryption request of the first application process for the third data, and end the process.

In a possible design, after the second application process sends an access request to the first application process, and before the key management process receives the decryption request for decrypting the third data, the method further includes: receiving, by the second application process The third data sent by the application process; the decryption request received by the key management process to decrypt the third data is specifically: the key management process receives the decryption request sent by the second application process; and the key management process returns the fourth data specifically: The key management process returns the fourth data to the second application process.

It can be seen that, when the second application process accesses the data of the first application process, the terminal first acquires the data encrypted by the first application process, that is, the third data, and then the second application process requests the third data from the key management process. Decrypt. After the third data is decrypted by the key management process, the decrypted third data, that is, the fourth data, may be sent to the second application process. Therefore, the embodiment of the present application provides a method for a second application process to access third data of a first application process.

In a possible design, if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the second application process.

It can be seen that, when the second application process and the first application process are not in the same process grouping, the key management process does not decrypt the third data, and directly sends the third data to the second application process, which is beneficial to include the first application. The data security of the process.

In a possible design, before the key management process uses the decryption key corresponding to the process group in which the first application process is located to decrypt the third data to obtain the fourth data, the method further includes: the key management process obtains the first An identifier of an application process; the key management process determines an identifier of a process group in which the first application process is located according to the identifier of the first application process; the key management process acquires the first application according to the identifier of the process group in which the first application process is located The decryption key corresponding to the process group in which the process resides.

Therefore, the present application provides a method for a terminal to acquire a decryption key corresponding to a process group in which a first application process is located.

In a possible design, the first application process requests the key management process to encrypt the first data; the key management process determines the process group in which the first application process is located according to the request; the key management process uses the first application process The encryption key corresponding to the process group is encrypted to encrypt the first data to generate second data; the N process packets correspond to M encryption keys, and each process group corresponds to one encryption key; the key management process is The first application process sends the second data.

Therefore, the present application implements a method for encrypting an application process in the same process group by using the same encryption key, which is beneficial to improving data security in an application process.

In one possible design, the first application process saves the second data.

In some embodiments, the first application process saves the second data in an encrypted storage area in the first application process. The encrypted storage area is a specific storage space in the first application process, and is dedicated to storing data encrypted by the key management module.

In a possible design, the key management process determines, according to the request, the process group in which the first application process is located: the key management process acquires the identifier of the first application process; and the key management process is based on the identifier of the first application process. The identifier of the process group in which the first application process is located is determined. The key management process obtains the encryption key corresponding to the process group in which the first application process is located according to the identifier of the process group in which the first application process is located.

In a second aspect, a terminal includes a first application module, a second application module, and a key management module, and a second application module, configured to send an access request to the first application module, where the access request is used to request access a third data of the first application process; a key management module, configured to receive a decryption request for decrypting the third data; and a key management module, configured to determine, according to the decryption request, that the second application process is first After the process group in which the application process is located, the third data is decrypted by using the decryption key corresponding to the process group in which the first application process is located, and the fourth data is obtained; the key management module is further configured to return to the first request in response to the decryption request. Four data.

Wherein the terminal has N process packets; each of the N process packets includes at least one process, and at least one process packet includes two or more processes; wherein N is an integer greater than 1 or equal to 1; N process packets correspond to M decryption keys, and each process packet corresponds to one decryption key; wherein M is a positive integer, N>=M.

In a possible design, the key management module is further configured to receive a decryption request sent by the first application module according to the access request: the key management module is further configured to return the fourth data to the first application module; An application module, configured to send fourth data to the second application module.

In a possible design, the key management module is further configured to: if the key management module determines that the second application process is not in the process group in which the first process is located, send the third data to the first application module; the first application The program module is further configured to send the third data to the second application module.

In a possible design, the second application module is further configured to receive third data sent by the first application module, and the key management module is further configured to receive a decryption request sent by the second application module; The module is further configured to return fourth data to the second application module.

In a possible design, the key management module is further configured to: if the key management module determines that the second application process is not in the process group in which the first application process is located, send the third data to the second application module.

In a possible design, the key management module is further configured to obtain an identifier of the first application module, and the key management module is further configured to determine, according to the identifier of the first application module, a process in which the first application module is located. And a key management module, configured to obtain a decryption key corresponding to the process group in which the first application module is located according to the identifier of the process group in which the first application module is located.

In a possible design, the first application module is further configured to request the key management module to encrypt the first data, and the key management module is further configured to determine, according to the request, a process group in which the first application module is located; The key management module is further configured to encrypt the first data by using an encryption key corresponding to the process group in which the first application module is located, to generate second data; the N process groups correspond to M encryption keys, and each process The packet corresponds to an encryption key; the key management module is further configured to send the second data to the first application module.

In a possible design, the first application module is also used to save the second data.

In a possible design, the key management module is further configured to obtain an identifier of the first application module, and the key management module is further configured to determine, according to the identifier of the first application module, a process in which the first application module is located. And a key management module, configured to obtain an encryption key corresponding to the process group in which the first application module is located according to the identifier of the process group in which the first application module is located.

A third aspect, a terminal, comprising: a processor, a memory and a touch screen, the memory, the touch screen being coupled to the processor, the memory for storing the computer program code, the computer program code comprising computer instructions, and the terminal executing when the processor executes the computer instruction A method of data processing in a possible design method of any of the first aspects.

A fourth aspect, a computer storage medium comprising computer instructions for causing a terminal to perform a method of data processing of a possible design method of any of the first aspects when the computer instructions are run on the terminal.

A fifth aspect, a computer program product, when a computer program product is run on a computer, causing the computer to perform a method of data processing of a possible design method of any of the first aspects.

DRAWINGS

1 is a schematic structural diagram of hardware of a terminal provided by the present application;

2 is a schematic flowchart 1 of a data processing method provided by the present application;

3 is a schematic diagram of a storage space of a process provided by the present application;

4 is a schematic flowchart 2 of a data processing method provided by the present application;

FIG. 5 is a schematic flowchart 3 of a data processing method provided by the present application; FIG.

6 is a schematic structural diagram of software of a terminal provided by the present application;

FIG. 7 is a schematic flowchart 4 of a data processing method provided by the present application; FIG.

FIG. 8 is a schematic flowchart 5 of a data processing method provided by the present application; FIG.

9 is a schematic flowchart 6 of a data processing method provided by the present application;

10 is a schematic flowchart 7 of a data processing method provided by the present application;

11 is a schematic flowchart 8 of a data processing method provided by the present application;

12 is a schematic diagram 1 of a composition of a terminal provided by the present application;

FIG. 13 is a schematic diagram 2 of a composition of a terminal provided by the present application.

Detailed ways

In the following, the terms "first" and "second" are used for descriptive purposes only, and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, features defining "first" and "second" may include one or more of the features either explicitly or implicitly. In the description of the present application, "a plurality" means two or more unless otherwise stated.

First, in order to better understand the technical solution of the present application, a brief introduction to the communication mechanism between applications is first introduced.

When the terminal installs the application, each application is assigned a unique user identifier (UID) or Process Identifier (PID) and is permanently maintained. A binder mechanism is used when communicating between different applications. The Binder mechanism is based on the client/server (C/S) architecture. Specifically, the accessed application is used as a service (Sever) end, and the accessed application is used as a client (Client). The client sends the accessed task to the server. The server controls the policy according to the permission. The UID/PID determines whether the client meets the access rights. Only the client that has applied for a specific permission can access the server.

At present, the permission control is often through the pop-up permission query dialog box, allowing the user to choose whether to run. Permissions are divided into installation permissions and dynamic permissions. Installation permission means that when the application is first installed, all the permissions involved in the entire application will be asked once, for example: Android 6.0, also known as Android M, previous versions of Android. Dynamic permissions are in the process of running the application, which permission is required to ask the user whether to give the corresponding permissions, for example: Android M and later versions of Android.

It should be noted that for some malicious applications, access to certain important applications may be obtained directly by an application that is not supporting dynamic permissions, and the key data of these important applications may be obtained by avoiding the user's consent. , bringing losses to users. To this end, the present application provides a method of data processing, by which an application installed on a terminal is grouped, and an application in the same group encrypts key data using the same key at runtime. In this way, the encrypted data of the application in the same group can only be decrypted by other applications in the group. Then, even if the malicious application obtains the access right of the application, since the encrypted data cannot be decrypted because it is not in the same group, the data security of the user is guaranteed.

Exemplarily, the terminal in the present application may be a mobile phone (such as the mobile phone 100 shown in FIG. 1), a tablet computer, a personal computer (PC), a personal digital assistant (personal), which can install an application and display an application icon. Digital assistant (PDA), smart watch, netbook, wearable electronic device, Augmented Reality (AR) device, Virtual Reality (VR) device, etc., the application does not impose any special restrictions on the specific form of the terminal. .

As shown in FIG. 1 , the mobile phone 100 is used as the terminal example. The mobile phone 100 may specifically include:

The processor 101 is a control center of the mobile phone 100, and connects various parts of the mobile phone 100 by using various interfaces and lines, and executes the mobile phone 100 by running or executing an application stored in the memory 103 and calling data stored in the memory 103. Various functions and processing data. In some embodiments, the processor 101 may include one or more processing units; for example, the processor 101 may be a Kirin 960 chip manufactured by Huawei Technologies Co., Ltd.

The radio frequency circuit 102 can be used to receive and transmit wireless signals during transmission or reception of information or calls. In particular, the radio frequency circuit 102 can process the downlink data of the base station and then process it to the processor 101; in addition, transmit the data related to the uplink to the base station. Generally, radio frequency circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. In addition, the radio frequency circuit 102 can also communicate with other devices through wireless communication. The wireless communication can use any communication standard or protocol, including but not limited to global mobile communication systems, general packet radio services, code division multiple access, wideband code division multiple access, long term evolution, email, short message service, and the like.

The memory 103 is used to store applications and data, and the processor 101 executes various functions and data processing of the mobile phone 100 by running applications and data stored in the memory 103. The memory 103 mainly includes a storage program area and a storage data area, wherein the storage program area can store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.); the storage data area can be stored according to the use of the mobile phone. Data created at 100 o'clock (such as audio data, phone book, etc.). Further, the memory 103 may include a high speed random access memory (RAM), and may also include a nonvolatile memory such as a magnetic disk storage device, a flash memory device, or other volatile solid state storage device. The memory 103 can store various operating systems, for example, developed by Apple.

Operating system, developed by Google Inc.

Operating system, etc. The above memory 103 may be independent and connected to the processor 101 via the above communication bus; the memory 103 may also be integrated with the processor 101.

The touch screen 104 may specifically include a touch panel 104-1 and a display 104-2.

The touch panel 104-1 can collect touch events on or near the user of the mobile phone 100 (for example, the user uses any suitable object such as a finger, a stylus, or the like on the touch panel 104-1 or on the touchpad 104. The operation near -1), and the collected touch information is sent to other devices (for example, processor 101). The touch event of the user in the vicinity of the touch panel 104-1 may be referred to as a hovering touch; the hovering touch may mean that the user does not need to directly touch the touchpad in order to select, move or drag a target (eg, an icon, etc.) , and only the user is located near the device to perform the desired function. In addition, the touch panel 104-1 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.

A display (also referred to as display) 104-2 can be used to display information entered by the user or information provided to the user as well as various menus of the mobile phone 100. The display 104-2 can be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The touchpad 104-1 can be overlaid on the display 104-2, and when the touchpad 104-1 detects a touch event on or near it, it is transmitted to the processor 101 to determine the type of touch event, and then the processor 101 may provide a corresponding visual output on display 104-2 depending on the type of touch event. Although in FIG. 1, the touchpad 104-1 and the display 104-2 are implemented as two separate components to implement the input and output functions of the handset 100, in some embodiments, the touchpad 104- 1 is integrated with the display screen 104-2 to implement the input and output functions of the mobile phone 100. It is to be understood that the touch screen 104 is formed by stacking a plurality of layers of materials. In the embodiment of the present application, only the touch panel (layer) and the display screen (layer) are shown, and other layers are not described in the embodiment of the present application. . In addition, the touch panel 104-1 may be disposed on the front surface of the mobile phone 100 in the form of a full-board, and the display screen 104-2 may also be disposed on the front surface of the mobile phone 100 in the form of a full-board, so that the front of the mobile phone can be borderless. Structure.

In addition, the mobile phone 100 can also have a fingerprint recognition function. For example, the fingerprint reader 112 can be configured on the back of the handset 100 (eg, below the rear camera) or on the front side of the handset 100 (eg, below the touch screen 104). For another example, the fingerprint collection device 112 can be configured in the touch screen 104 to implement the fingerprint recognition function, that is, the fingerprint collection device 112 can be integrated with the touch screen 104 to implement the fingerprint recognition function of the mobile phone 100. In this case, the fingerprint capture device 112 is disposed in the touch screen 104 and may be part of the touch screen 104 or may be otherwise disposed in the touch screen 104. The main component of the fingerprint collection device 112 in the embodiment of the present application is a fingerprint sensor, which can employ any type of sensing technology, including but not limited to optical, capacitive, piezoelectric or ultrasonic sensing technologies.

The mobile phone 100 may also include a Bluetooth device 105 for enabling data exchange between the handset 100 and other short-range devices (eg, mobile phones, smart watches, etc.).

The handset 100 can also include at least one type of sensor 106, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display of the touch screen 104 according to the brightness of the ambient light, and the proximity sensor may turn off the power of the display when the mobile phone 100 moves to the ear. . As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is stationary, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen switching, related Game, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc. As for the mobile phone 100 can also be configured with gyroscopes, barometers, hygrometers, thermometers, infrared sensors and other sensors, here Let me repeat.

The WiFi device 107 is configured to provide the mobile phone 100 with network access complying with the WiFi-related standard protocol, and the mobile phone 100 can access the WiFi access point through the WiFi device 107, thereby helping the user to send and receive emails, browse web pages, and access streaming media. It provides users with wireless broadband Internet access. In some other embodiments, the WiFi device 107 can also function as a WiFi wireless access point, and can provide WiFi network access for other devices.

The positioning device 108 is configured to provide a geographic location for the mobile phone 100. It can be understood that the positioning device 108 can be specifically a receiver of a positioning system such as a Global Positioning System (GPS) or a Beidou satellite navigation system, or a Russian GLONASS. After receiving the geographical location transmitted by the positioning system, the positioning device 108 sends the information to the processor 101 for processing, or sends it to the memory 103 for storage. In some other embodiments, the positioning device 108 can also be a receiver of an Assisted Global Positioning System (AGPS), which assists the positioning device 108 in performing ranging and positioning services by acting as an auxiliary server. In this case, the secondary location server provides location assistance over a wireless communication network in communication with a location device 108 (i.e., a GPS receiver) of the device, such as handset 100. In still other embodiments, the positioning device 108 can also be a WiFi access point based positioning technology. Since each WiFi access point has a globally unique (Media Access Control, MAC) address, the device can scan and collect the broadcast signal of the surrounding WiFi access point when the WiFi is turned on, so that the WiFi connection can be obtained. The MAC address broadcasted by the inbound point; the device sends the data (such as the MAC address) capable of indicating the WiFi access point to the location server through the wireless communication network, and the location server retrieves the geographical location of each WiFi access point and combines The strength of the WiFi broadcast signal is calculated, and the geographic location of the device is calculated and sent to the location device 108 of the device.

The audio circuit 109, the speaker 113, and the microphone 114 can provide an audio interface between the user and the handset 100. The audio circuit 109 can transmit the converted electrical data of the received audio data to the speaker 113 for conversion to the sound signal output by the speaker 113; on the other hand, the microphone 114 converts the collected sound signal into an electrical signal by the audio circuit 109. After receiving, it is converted into audio data, and then the audio data is output to the RF circuit 102 for transmission to, for example, another mobile phone, or the audio data is output to the memory 103 for further processing.

The peripheral interface 110 is used to provide various interfaces for external input/output devices (such as a keyboard, a mouse, an external display, an external memory, a subscriber identity module card, etc.). For example, it is connected to the mouse through a Universal Serial Bus (USB) interface, and is connected to a Subscriber Identification Module (SIM) card provided by the service provider through a metal contact on the card slot of the subscriber identity module. . Peripheral interface 110 can be used to couple the external input/output peripherals described above to processor 101 and memory 103.

The mobile phone 100 may further include a power supply device 111 (such as a battery and a power management chip) that supplies power to the various components. The battery may be logically connected to the processor 101 through the power management chip to manage charging, discharging, and power management through the power supply device 111. And other functions.

Although not shown in FIG. 1, the mobile phone 100 may further include a camera (front camera and/or rear camera), a flash, a micro projection device, a near field communication (NFC) device, and the like, and details are not described herein.

The methods in the following embodiments can all be implemented in the mobile phone 100 having the above hardware structure.

As shown in FIG. 2, a flow chart of a data processing method provided by the present application includes an encryption process for data, the method being applicable to a terminal, where the terminal runs a first application process and a key management process, The method specifically includes:

S101. The first application process generates first data.

The first application process is one of the processes running by the first application, and the first application may be any application on the terminal, and is a program and a data set that can perform certain business functions, for example, a short message application, a US group application, Taobao applications, etc.

In some embodiments, the first data may be data that needs to be encrypted, for example, data determined according to the first application process or the service nature of the first application, for example, may be important in the first application process or the first application, Critical, sensitive data. For example, if the first application is a short message application, the first data may be information such as an account number, a password, a verification code, and a short message content. Specifically, the first data may be the entire short message content including the key data, or may be part of the content of the short message content, and only the key data, which is not limited in the embodiment of the present application. If the first data is such data that needs to be encrypted, the first application process needs to request the key management module to encrypt the first data, that is, step S102 is performed.

In some embodiments, the first data may be data that does not need to be encrypted, for example, determining data that does not need to be encrypted according to the service nature of the first application process or the first application, and the first application process directly stores the first data. , that is, no need to perform the following steps.

S102. The first application process requests the key management module to encrypt the first data, where the request message carries the first data.

The key management module is mainly used to perform encryption and decryption processes on specific data in each application process, and to create and manage encryption and decryption keys of each packet. When the key management module is running, it can also be called a key management process.

S103. The key management module encrypts the first data to generate second data.

Specifically, when the key management module is invoked by the first application process, the binder-based inter-process communication mechanism is known, and the key management module can obtain the identifier of the caller, that is, the identifier of the first application process. The identifier of the first application process may be the PID of the first application process or the UID of the first application. Then, the key management module may determine, according to the identifier of the first application process, the packet corresponding to the first application process, and obtain the identifier of the packet corresponding to the first application process. Then, the encryption key corresponding to the first application process is obtained according to the identifier of the packet corresponding to the first application process. Finally, the key management module encrypts the first data according to the obtained encryption key to obtain the second data. The second data is the data encrypted by the first data, and is a ciphertext.

It should be noted that the first application process may correspond to one packet, and the one packet corresponds to one encryption key, and then the first application process corresponds to one encryption key. Thus, the key management module encrypts the first data using the one encryption key. The first application process may also correspond to multiple packets, and the multiple packets correspond to multiple encryption keys, and then the first application process corresponds to multiple encryption keys. Thus, the key management module encrypts the first data using the plurality of encryption keys. The embodiment of the present application is not limited.

It should also be noted that the grouping here may also be referred to as a process grouping. One or more processes running in the terminal may be grouped into one or more processes. The one or more process packets respectively correspond to one or more encryption keys.

For example, it is assumed that an application process running on a terminal can be divided into three process groups, namely, process group A, process group B, and process group C. Then, the process packet A, the process packet B, and the process packet C may respectively correspond to different encryption keys, or the process packet A and the process packet B may correspond to one same encryption key, and the process packet C corresponds to another different encryption key. It is also possible that process group A, process group B, and process group C respectively correspond to one and the same encryption key. The correspondence between the process grouping and the encryption key is not limited in the embodiment of the present application.

S104. The key management module sends the second data to the first application process.

S105. The first application process saves the second data.

Specifically, the first application process saves the second data in an encrypted storage area in the first application process. The encrypted storage area is a specific storage space in the first application process, and is dedicated to storing data encrypted by the key management module.

Exemplarily, as shown in FIG. 3, is a spatial schematic diagram of a first application process. The space of the first application process includes: a stack, a heap, a BBS (Block Started by Symbol) segment, a data segment segment, and a code segment (code/text segment).

Among them, the BBS segment, the data segment and the code segment are static memory allocations, which are used to store code, global variables and static variables, and have a fixed effect. The stack is automatically allocated and freed by the operating system to store local variables of the first application process, and can also be used to pass parameters and return values.

The heap is allocated and released by the first application process, and is used to store a dynamically allocated memory space segment in the first application process. In the embodiment of the present application, the first application process may allocate a memory space in the heap for the first time to store the data encrypted by the key encryption module, that is, the encrypted storage area.

It can be seen that, in the embodiment of the present application, in the running process, the first application process first determines a packet corresponding to the first application process, and then obtains an encryption key corresponding to the packet, and uses the encryption key to data of the first application process. Encryption and storage in a specific encrypted storage area helps to improve the security of critical data for the application.

As shown in FIG. 4, a flowchart of a method for data processing according to an embodiment of the present application, where the method includes a process for decrypting data, specifically includes:

S201. The second application process requests the first application process to access the third data of the first application process.

The second application process may be another process in the first application, different from the first application process, the second application process may also be a process in the second application, and the second application is different from the second application. .

In some embodiments, the second application process needs to obtain permission to access the first application process in advance, as shown in S201a. Specifically, the second application process sends a request for applying for access rights to the first application process, and the first application process authorizes the second application process. It is also possible that the first application process directly authorizes the second application process, and allows the second application process to access data of the first application process. It is also possible that the first application process defaults that the second application process has the right to access the first application process, which is not limited in this embodiment.

Then, the second application process can read the data of the first application process, including the third data. Exemplarily, the second application process can read all the data in the first application process, and can also read the data associated with the second application process, which is not limited in this embodiment.

Exemplarily, it is assumed that the first application process is a process in the short message application, and the second application process is a process in the US group application, and the US group application has the access right of the short message application. Then the US group application can read all the SMS content in the SMS application, or the US group application can read the SMS content associated with the US group application in the SMS application, for example, the verification of the US group application sent to the SMS application. Code information, etc.

S202. The first application process determines that the third data is stored in the encrypted storage area.

Specifically, the first application process determines, according to the index corresponding to the third data, whether the third data is stored in the encrypted storage area. If the third data is not stored in the encrypted storage area, the third data is plaintext, and the first application process sends the third data to the second application process. If the third data is stored in the encrypted storage area, the third data is cipher text, and the first application process further needs to decrypt the third data, that is, step S203 is performed.

S203. The first application process requests the key management module to decrypt the third data, where the request carries the identifier of the second application process and the third data.

Specifically, when the first application process is invoked by the second application process, the first application process may obtain the identifier of the calling program, that is, the identifier of the second application process.

S204: The key management module determines, according to the identifier of the second application process, whether the second application process is a packet corresponding to the first application process, and if yes, executing S205; otherwise, the key management module does not decrypt the third data. Return the third data directly.

Specifically, when the key management module is invoked by the first application process, the key management module may obtain the identifier of the caller, that is, the identifier of the first application process. The key management module may determine, according to the identifier of the first application process, a packet corresponding to the first application process, and an identifier of the application included in the packet. Further, the key management module may determine, according to the identifier of the second application process, whether the second application process is in the packet. If the second application process is in the group, the key management module decrypts the third data, that is, step S205 is performed. If the second application process is not in the packet, the key management module does not decrypt the third data, and directly returns the third data to the first application process. If the second application process is not in the packet, the key management module may directly reject the decryption request of the first application process for the third data, and end the process.

In other words, when the second application process accesses the first application process, even if the second application process has access rights, the second application process and the first application process do not belong to the same group, and the second application process cannot obtain the same. The first application process stores the plaintext of the data in the encrypted storage area. In this way, if the second application process is a malicious program, even if the user is authorized to access the first application process to access the first application process, the second application process cannot obtain the data encrypted by the first application process, thereby improving the first application process. Encrypted data security.

S205. The key management module decrypts the third data to obtain fourth data.

Specifically, the key management module acquires a decryption key corresponding to the packet according to the packet corresponding to the first application process. The third data is decrypted by using the obtained decryption key to obtain fourth data. The fourth data is data after the third data is decrypted, and is plaintext.

It should also be noted that the first application process may correspond to one packet, and the one packet corresponds to one decryption key, and then the first application process corresponds to one decryption key. Thus, the key management module decrypts the third data using the one decryption key. The first application process may also correspond to multiple packets, and each of the multiple packets corresponds to a decryption key, and the first application process corresponds to multiple decryption keys. Thus, the key management module decrypts the third data using the plurality of decryption keys. The embodiment of the present application is not limited.

S206. The key management module sends fourth data to the first application process.

S207. The first application process sends fourth data to the second application process.

It can be seen that, in the embodiment of the present application, when the second application process needs to access the encrypted data of the first application process, the first application process is required to apply for the key management module to decrypt the encrypted data. The key management module needs to first determine whether the second application process is in a corresponding group of the first application process, and if so, decrypt the encrypted data and return the decrypted data to the first application process. Therefore, the second application process can directly read the data of the first application process after obtaining the permission to access the first application process, and improve the security of the data of the first application process.

It should be noted that, in the embodiment of the present application, the second application process may apply to the key management module to decrypt the third data by using the first application process. The second application process may also directly apply to the key management module to decrypt the third data, that is, steps S202 to S207 may be replaced with steps S301 to S305.

As shown in FIG. 5, it is a flowchart of a data processing method provided by an embodiment of the present application, where the method includes steps S201 and S301 to S305, as follows:

S301. The first application process returns third data to the second application process.

If the third data is stored in the encrypted storage area of the first application process, the third data is cipher text, and the first application process needs to decrypt the third data, that is, step S302 is performed. If the third data is stored in the non-encrypted storage area of the first application process, the third data is plaintext, that is, the data to be finally acquired by the first application process.

S302. The second application process requests the key management module to decrypt the third data, where the request carries the third data and the identifier of the first application process.

It should be noted that, when the second application process is invoked by the first application process, the second application process may obtain the identifier of the caller, that is, the identifier of the first application process.

S303. The key management module determines, according to whether the second application process is a packet corresponding to the first application process. If yes, execute S304; otherwise, the key management module does not decrypt the third data, and directly returns the third data to the first application process.

Specifically, when the key management module is invoked by the second application process, the key management module may also obtain the identifier of the second application process. Then, the key management module determines, according to the identifier of the first application process carried in the request, the packet corresponding to the first application process and the identifier of the application process included in the packet. Further, the key management module may determine whether the second application process is in the packet according to the identifier of the second application process. If the second application process is in the group, the key management module decrypts the third data, that is, step S304 is performed. If the second application process is not in the packet, the key management module does not decrypt the third data, and directly returns the third data to the first application process. If the second application process is not in the packet, the key management module may directly reject the decryption request of the second application process for the third data, and end the process.

S304. The key management module decrypts the third data to obtain fourth data.

This step can refer to step S205, and details are not repeatedly described.

S305. The key management module sends fourth data to the second application process.

Therefore, in the embodiment of the present application, after acquiring the encrypted data of the first application process, the second application process may apply to the key management module to decrypt the encrypted data. The key management module needs to first determine whether the second application process is in a corresponding group of the first application process, and if so, decrypt the encrypted data and return the decrypted data to the first application process. Therefore, the second application process can directly read the data of the first application process after obtaining the permission to access the first application process, and improve the security of the data of the first application process.

For example, as shown in FIG. 6 , it is a schematic diagram of a composition of a terminal provided by an embodiment of the present application. The terminal includes multiple application processes 601 - 604 , a key management module 605 , and a secure storage module 606 .

The terminal groups the multiple application processes, and the application processes in the same group use the same key to encrypt and decrypt specific data, that is, the application processes in the same group can access specific data. Among them, the grouping method will be specifically described below. For example, the application process 601 and the application process 602 are processes of the first group. Application process 603 and application process 604 are processes of the second group.

The key management module 605 is configured to perform an encryption and decryption process on specific data in each application process, and an encryption and decryption key and the like for creating and managing each packet. Specifically, the key management module 605 further includes a packet management module 60501 and an encryption module 60502.

The group management module 60501 is configured to group the application process according to the grouping policy. The group management module 60502 can automatically generate a grouping policy, and can also receive the user's settings and update the grouping policy. The present application does not limit the grouping policy. The packet management module 60502 can also request the encryption module 60502 to create a key for the packet, establish a correspondence between the application and the packet, and/or the key, and the like. The encryption module 60502 is configured to create a new key pair for the packet, encrypt and decrypt the data of the application process, and the like.

The security storage module 606 is configured to store the encrypted and decrypted key generated by the key management module 605 to ensure the security of the key storage.

In the following, the data processing method provided by the present application is applied to the terminal shown in FIG. 6 as an example, and the technical solution provided by the present application is elaborated.

First, explain the grouping strategy of the application process. The terminal can group the application processes according to the source of the application corresponding to the application process, the service type, and the like.

Illustratively, the grouping strategy can be grouped according to the download source of the application. Specifically, the applications downloaded from the application market in the terminal, because the applications are reviewed by the shelves, can be regarded as trusted applications, and can be divided into one group. Downloaded from other methods, not downloaded through the application market, can be considered as an untrusted application that can be divided into another group.

Exemplarily, the grouping policy may also be grouped according to the specific service type of the application. Specifically, when the applications downloaded from the application market are on the shelves, the application market will classify these applications, such as: office, shopping, social, entertainment, news, and so on. Then, the application can be grouped according to the classification, for example, the application of the same type is divided into one group, or the application of several types is divided into one group, which is not limited in the embodiment of the present application.

It should be noted that when the application downloads the application, the application market also sends the source information and service type of the application to the terminal, so that the terminal groups the information according to the information, or the application market sends the classified information of the application to the application. Give the terminal. As shown in Figure 7, it is a schematic diagram of the process of publishing, reviewing, sorting, and downloading applications.

In some embodiments, when the application developer or user discovers that the application has malicious behavior, it can be reported to the application market, and the application market is re-reviewed and re-grouped. As shown in Figure 8, the application is re-reviewed for the process flow.

Exemplarily, the grouping policy may also be to specify that certain applications are divided into one group according to the user's settings. The grouping policy may also be a combination of the above various grouping policies, which is not limited in the embodiment of the present application.

After the terminal determines the grouping policy, the terminal groups each application according to the grouping policy and determines a key for each group. Specifically, as shown in FIG. 9 , a schematic flowchart of a method for data processing according to an embodiment of the present application, where the method specifically includes:

S401. After detecting that the third application is installed, the terminal notifies the group management module to group the third application process corresponding to the third application.

The third application is a new application that the terminal needs to install, and the third application is different from the first application and the second application.

It should be noted that the terminal may also notify the group management module after detecting that the user requests to install the third application, which is not limited in the embodiment of the present application.

It should also be noted that there are usually two types of applications installed on the terminal, one is a terminal-preferred application, such as a short message application, a photography application, a browser application, and the like. These applications can be installed by the system trigger terminal when the terminal is first turned on. The other type is downloaded and installed by the user himself, for example, the US group application, the Alipay application, etc., which are triggered by the user's operation to install the terminal. Regardless of the installation method, the terminal can notify the group management module after the application is installed or after the installation is started.

S402. The packet management module groups the third application process according to the grouping policy.

Specifically, the group management determines the packet corresponding to the third application process according to the service type of the third application process, or the download source, and associates the identifier of the third application process with the group identifier, and saves the local.

Further, if the third application process is the first installed application in the packet, the packet management module requests the encryption module to create a new packet key pair for the packet, that is, step S403 is performed. If the third application process is not the first installed application in the group, the group management module directly establishes a correspondence between the third application process and the packet and the key, that is, step S406 is performed.

For example, it is assumed that the third application process is a US group application, and the group corresponding to the third application process is a shopping group. Then, when the installation of the Meituan application is completed, or when the terminal receives the user request to install the Meituan application, the packet management module is notified. The group management module divides the group application into a shopping group. If the group application is the first installed application within the shopping group, the group management module requests the encryption module to create a key pair for the shopping group. If the group application is not the first application installed in the shopping group, the group management module directly associates the group application with the key of the shopping group and the shopping group.

S403. The packet management module sends a request to the encryption module to create a key pair for the packet corresponding to the third application process.

The request carries the identifier of the packet corresponding to the third application process.

S403. The encryption module creates a key pair for the packet corresponding to the third application process.

S404. The encryption module stores the created key pair in a secure storage module.

For example, in the Android system, the secure storage module may include a keystore and a keymaster. The keystore is used to store an index of a key pair, and is used to provide an interface for other applications to use a key pair. The keymaster is used to store the contents of the key pair and encrypt and decrypt the data. Specifically, the encryption module can store the created key pair in the keymaster through the keystore. Since the keymaster is physically isolated from the keystore, the security of the key pair can be improved.

S405. The encryption module returns information of the created key pair to the group management module.

The information of the key pair may include a correspondence between the group identifier and the index of the key pair.

Exemplarily, the encryption module may return the correspondence between the packet identifier and the index of the key pair to the packet management module. When the encryption module needs to be encrypted, the corresponding encryption key can be found from the secure storage module according to the index of the key pair, and the encrypted key is used for encryption. When the encryption module needs to decrypt, the corresponding decryption key can be found from the secure storage module according to the index of the key pair, and the decrypted secret key is used for decryption.

The step S405 can also be performed before or at the same time as S404. The embodiment of the present application does not limit the order relationship between the steps S404 and S405.

S406. The packet management module associates the third application process with the packet and the key pair.

Exemplarily, the group management module establishes the identifier and grouping of the third application process according to the correspondence between the packet identifier and the key pair index returned by the encryption module, and the correspondence between the identifier of the third application process and the group identifier that are already existing in the local device. The correspondence between the identifier and the key pair index.

It should be noted that if an application in a certain packet sends a change, for example, an application changes from one packet to another, the packet management module needs to update the correspondence between the application and the packet and the key pair.

For example, if a malicious application is sent within a certain packet, the malicious application can be removed from the packet and switched to another packet, and the malicious application is no longer allowed to access data of other applications in the packet. Or, after evaluating the nature of the service, it is found that an application may not need to be within a certain group, and may also be removed from the group and switched to another group.

Therefore, the embodiment of the present application provides a data processing method, which can group an application, create a key pair for the packet, and establish a correspondence between the application and the packet and the key pair, thereby enabling the same packet to be implemented. The application uses the same key for encryption and decryption.

Further, in the encryption process of the data, the steps S102 to S104 are refined. Then, the steps S102 to S104 can be replaced with S501 to S507. As shown in FIG. 10, the data processing method provided by the embodiment of the present application further includes:

S501. The packet management module receives the first data sent by the first application process.

Specifically, the group management module is invoked by the first application process, and the group management module can obtain the identifier of the first application process.

S502. The packet management module acquires an index of an encryption key or a key pair corresponding to the first application process according to the identifier of the first application process.

For example, the group management module searches for the group identifier corresponding to the identifier of the first application process according to the identifier of the first application process, and further determines an index of the encryption key or the key pair corresponding to the group identifier according to the group identifier. The index of the found encryption key or key pair corresponds to the encryption key or key pair corresponding to the first application process.

S503. The packet management module sends the first data and the obtained encryption key or an index of the key pair to the encryption module.

S504. The encryption module reads the encryption key corresponding to the first application process from the secure storage module according to the encryption key or the index of the key pair.

S505. The encryption module encrypts the first data according to the obtained encryption key to obtain the second data.

S506. The cryptographic module sends the obtained second data to the packet management module.

S507. The packet management module sends the second data to the first application process.

Further, the steps S203 to S206 are performed in the process of decrypting the data. Then, the steps S203 to S206 can be replaced with S601 to S607. As shown in FIG. 11, the data processing method provided by the embodiment of the present application further includes:

S601. The first application process requests the packet management module to decrypt the third data, where the request carries the identifier of the second application process and the third data.

Specifically, when the first application process is invoked by the second application process, the first application process may obtain the identifier of the calling program, that is, the identifier of the second application process.

S602. The packet management module determines, according to the identifier of the second application process, whether the second application process is in a packet corresponding to the first application process. If yes, step S603 is performed. Otherwise, the packet management module does not request the encryption module to decrypt the third data, but directly returns the third data to the first application process.

Specifically, when the group management module is invoked by the first application process, the group management module may obtain the identifier of the caller, that is, the identifier of the first application process. The packet management module may determine, according to the identifier of the first application process, a packet corresponding to the first application process and an identifier of the application included in the packet. Further, the packet management module may determine, according to the identifier of the second application process, whether the second application process is in the packet. If the second application process is in the group, the packet management module requests the encryption module to decrypt the third data, that is, step S603 is performed. If the second application process is not in the packet, the packet management module does not request the encryption module to decrypt the third data, but directly returns the third data to the first application process, and the first application process returns the third application process to the second application process. data.

S603. The packet management module acquires an index of a decryption key or a key pair corresponding to the first application process according to the identifier of the first application process.

For example, the group management module searches for the group identifier corresponding to the identifier of the first application process according to the identifier of the first application process, and further determines an index of the decryption key or the key pair corresponding to the group identifier according to the group identifier. The index of the decrypted key or key pair found corresponds to the encryption key or key pair corresponding to the first application process.

S604. The packet management module sends the third data and the obtained decryption key or an index of the key pair to the encryption module.

S605. The encryption module reads the decryption key corresponding to the first application process from the secure storage module according to the decryption key or the index of the key pair.

S606. The encryption module decrypts the third data according to the obtained decryption key to obtain fourth data.

The fourth data is data after the third data is decrypted, and is plaintext.

S607. The encryption module sends the obtained fourth data to the packet management module.

S608. The packet management module sends the fourth data to the first application process.

It can be understood that, in order to implement the above functions, the above terminal and the like include hardware structures and/or software modules corresponding to each function. Those skilled in the art will readily appreciate that the embodiments of the present application can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the embodiments of the invention.

The embodiment of the present application may perform the division of the function modules on the terminal or the like according to the foregoing method example. For example, each function module may be divided according to each function, or two or more functions may be integrated into one processing module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of the module in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.

FIG. 12 shows a possible structural diagram of the terminal involved in the above embodiment in the case where the respective functional modules are divided by corresponding functions. As shown in FIG. 12, the terminal 1200 includes a first application module 1201, a second application module 1202, and a key management module 1203.

The first application module 1201 is configured to support the terminal to execute S101, S102, and S105 in FIG. 2, S202, S203, and S207 in FIG. 4, S302 in FIG. 5, S501 in FIG. 10, and S601 in FIG. And/or other processes for the techniques described herein. The second application module 1202 is for supporting the terminal to perform S201a and S201 in FIG. 4, and/or other processes for the techniques described herein. The key management module 1203 is configured to support the terminal to execute S103 and S104 in FIG. 2, S204-S206 in FIG. 4, S303-S305 in FIG. 5, S402-S406 in FIG. 9, and S502-S507 in FIG. S602-S608 in Figure 11, and/or other processes for the techniques described herein.

All the related content of the steps involved in the foregoing method embodiments may be referred to the functional descriptions of the corresponding functional modules, and details are not described herein again.

Of course, the terminal 1200 may further include a secure storage unit 1204 for storing group information, an encryption key, a decryption key, and the like in the present application. The terminal 1200 may further include a communication unit for the terminal to interact with other devices. The specific functions that can be implemented by the foregoing functional units include, but are not limited to, the functions corresponding to the method steps described in the foregoing examples. For detailed descriptions of other units of the terminal 1200, reference may be made to the detailed description of the corresponding method steps. The examples are not described here.

In the case of adopting an integrated unit, the first application module 1201, the second application module 1202, and the key management module 1203 may be integrated together, and may be a processing module of the terminal. The communication unit described above may be a communication module of the terminal, such as an RF circuit, a WiFi module, or a Bluetooth module. The above secure storage unit may be a storage module of the terminal.

FIG. 13 is a schematic diagram showing a possible structure of a terminal involved in the above embodiment. The terminal 1300 includes: a processing module 1301, a storage module 1302, and a communication module 1303. The processing module 1301 is configured to control and manage the actions of the terminal. The storage module 1302 is configured to save program codes and data of the terminal. The communication module 1303 is for communicating with other terminals. The processing module 1301 may be a processor or a controller, and may be, for example, a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure. The processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like. The communication module 1303 may be a transceiver, a transceiver circuit, a communication interface, or the like. The storage module 1302 can be a memory.

When the processing module 1301 is a processor (such as the processor 101 shown in FIG. 1), the communication module 1303 is an RF transceiver circuit (such as the RF circuit 102 shown in FIG. 1), and the storage module 1302 is a memory (as shown in FIG. 1). In the memory 103), the terminal provided by the embodiment of the present application may be the terminal 100 shown in FIG. 1. The communication module 1303 may include not only an RF circuit but also a WiFi module and a Bluetooth module. Communication modules such as RF circuits, WiFi modules, and Bluetooth modules can be collectively referred to as communication interfaces. Wherein, the above processor, communication interface and memory can be coupled together by a bus.

Through the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above functional modules is illustrated. In practical applications, the above functions can be allocated according to needs. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. For the specific working process of the system, the device and the unit described above, reference may be made to the corresponding process in the foregoing method embodiments, and details are not described herein again.

In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be used. Combinations can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a flash memory, a mobile hard disk, a read only memory, a random access memory, a magnetic disk, or an optical disk, and the like, which can store program codes.

The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present application should be covered by the scope of the present application. . Therefore, the scope of protection of the present application should be determined by the scope of the claims.

Claims (21)

1. A data processing method is applied to a terminal, where the terminal runs a first application process, a second application process, and a key management process, and the method includes:

   The second application process sends an access request to the first application process, where the access request is used to request access to the third data of the first application process;

   The key management process receives a decryption request requesting decryption of the third data;

   If the key management process determines that the second application process is in the process group in which the first application process is located according to the decryption request, the key management process uses the process group in which the first application process is located. Decrypting the third data by the corresponding decryption key to obtain fourth data;

   Responding to the decryption request, the key management process returns the fourth data;

   Wherein the terminal has N process packets; each of the N process packets includes at least one process, and at least one process packet includes two or more processes; wherein N is greater than 1 or equal to An integer of 1; the N process packets correspond to M decryption keys, and each process packet corresponds to a decryption key; wherein M is a positive integer, N>=M.
2. The method according to claim 1, wherein the decryption request received by the key management process to request decryption of the third data is specifically

   The key management process receives the decryption request sent by the first application process according to the access request;

   The key management process returns the fourth data specifically:

   The key management process returns the fourth data to the first application process;

   The method further includes:

   The first application process sends the fourth data to the second application process.
3. The method according to claim 1 or 2, wherein the method further comprises:

   If the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the first application process;

   The first application process sends the third data to the second application process.
4. The method according to claim 1, wherein after the second application process sends an access request to the first application process, the key management process receives a decryption request requesting decryption of the third data, The method further includes:

   Receiving, by the second application process, the third data sent by the first application process;

   The decryption request received by the key management process to request decryption of the third data is specifically:

   Receiving, by the key management process, the decryption request sent by the second application process;

   The key management process returns the fourth data specifically:

   The key management process returns the fourth data to the second application process.
5. The method of claim 4, wherein the method further comprises:

   And if the key management process determines that the second application process is not in the process group in which the first application process is located, the key management process sends the third data to the second application process.
6. The method according to any one of claims 1 to 5, wherein the third key data is decrypted by the key management process using a decryption key corresponding to the process group in which the first application process is located, and the third data is obtained. Before the four data, the method further includes:

   The key management process acquires an identifier of the first application process;

   Determining, by the key management process, an identifier of a process group in which the first application process is located, according to an identifier of the first application process;

   The key management process acquires a decryption key corresponding to the process group in which the first application process is located, according to the identifier of the process group in which the first application process is located.
7. The method according to any one of claims 1 to 6, wherein the method further comprises:

   The first application process requests the key management process to encrypt the first data;

   Determining, by the key management process, a process group in which the first application process is located according to the request;

   The key management process encrypts the first data by using an encryption key corresponding to the process group in which the first application process is located, and generates second data; the N process packets correspond to M encryption keys, and Each process group corresponds to an encryption key corresponding to its decryption key;

   The key management process sends the second data to the first application process.
8. The method according to claim 7, wherein after the key management process sends the second data to the first application process, the method further includes:

   The first application process saves the second data.
9. The method according to claim 8, wherein the determining, by the key management process, the process group in which the first application process is located according to the request includes:

   The key management process acquires an identifier of the first application process;

   Determining, by the key management process, an identifier of a process group in which the first application process is located, according to an identifier of the first application process;

   The key management process acquires an encryption key corresponding to the process group in which the first application process is located, according to the identifier of the process group in which the first application process is located.
10. A terminal, comprising: a first application module, a second application module, and a key management module,

    The second application module is configured to send an access request to the first application module, where the access request is used to request access to third data of the first application process;

    The key management module is configured to receive a decryption request for decrypting the third data;

    The key management module is further configured to: if the key management module determines, according to the decryption request, that the second application process is in a process group in which the first application process is located, where the first application process is located Decrypting a key corresponding to the process packet to decrypt the third data to obtain fourth data;

    The key management module is further configured to return the fourth data in response to the decryption request;

    Wherein the terminal has N process packets; each of the N process packets includes at least one process, and at least one process packet includes two or more processes; wherein N is greater than 1 or equal to An integer of 1; the N process packets correspond to M decryption keys, and each process packet corresponds to a decryption key; wherein M is a positive integer, N>=M.
11. The terminal according to claim 10, characterized in that

    The key management module is further configured to receive the decryption request sent by the first application module according to the access request:

    The key management module is further configured to return the fourth data to the first application module;

    The first application module is configured to send the fourth data to the second application module.
12. The terminal according to claim 10 or 11, wherein the key management module is further configured to: if the key management module determines that the second application process is not in a process group in which the first process is located Transmitting, to the first application module, the third data;

    The first application module is further configured to send the third data to the second application module.
13. The terminal according to claim 10, characterized in that

    The second application module is further configured to receive the third data sent by the first application module;

    The key management module is further configured to receive the decryption request sent by the second application module;

    The key management module is further configured to return the fourth data to the second application module.
14. The terminal according to claim 13, wherein the key management module is further configured to: if the key management module determines that the second application process is not in a process group in which the first application process is located, And transmitting the third data to the second application module.
15. A terminal according to any of claims 10-14, characterized in that

    The key management module is further configured to acquire an identifier of the first application module.

    The key management module is further configured to determine, according to the identifier of the first application module, an identifier of a process group in which the first application module is located;

    The key management module is further configured to acquire, according to the identifier of the process group in which the first application module is located, a decryption key corresponding to the process group in which the first application module is located.
16. A terminal according to any of claims 10-15, characterized in that

    The first application module is further configured to request the key management module to encrypt the first data;

    The key management module is further configured to determine, according to the request, a process group in which the first application module is located;

    The key management module is further configured to encrypt the first data by using an encryption key corresponding to the process group in which the first application module is located, to generate second data; and the N process groups correspond to M Encryption key, and each process packet corresponds to an encryption key corresponding to its decryption key;

    The key management module is further configured to send the second data to the first application module.
17. The terminal of claim 16 wherein:

    The first application module is further configured to save the second data.
18. The terminal according to claim 17, wherein

    The key management module is further configured to acquire an identifier of the first application module.

    The key management module is further configured to determine, according to the identifier of the first application module, an identifier of a process group in which the first application module is located;

    The key management module is further configured to acquire an encryption key corresponding to the process group in which the first application module is located according to the identifier of the process group in which the first application module is located.
19. A terminal, comprising: a processor, a memory and a touch screen, the memory, the touch screen being coupled to the processor, the memory for storing computer program code, the computer program code comprising computer instructions, The method of reading the computer instructions from the memory to perform the data processing of any of claims 1-9.
20. A computer storage medium comprising computer instructions for causing said terminal to perform a method of data processing according to any of claims 1-9 when said computer instructions are run on a terminal.
21. A computer program product, wherein the computer program product, when run on a computer, causes the computer to perform the method of data processing according to any one of claims 1-9.

Images