WO2020094027A1 - Method and apparatus for processing invocation request for sensitive permission module in terminal - Google Patents

Method and apparatus for processing invocation request for sensitive permission module in terminal Download PDF

Info

Publication number
WO2020094027A1
WO2020094027A1 PCT/CN2019/115828 CN2019115828W WO2020094027A1 WO 2020094027 A1 WO2020094027 A1 WO 2020094027A1 CN 2019115828 W CN2019115828 W CN 2019115828W WO 2020094027 A1 WO2020094027 A1 WO 2020094027A1
Authority
WO
WIPO (PCT)
Prior art keywords
call
request
call request
module
application
Prior art date
Application number
PCT/CN2019/115828
Other languages
French (fr)
Chinese (zh)
Inventor
汪步庆
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020094027A1 publication Critical patent/WO2020094027A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present application relates to, but is not limited to, the communication field, and in particular, to a method and device for processing a call request of a sensitive authority module in a terminal.
  • the terminal can collect a large amount of user privacy data through microphones, cameras, Global Positioning System (GPS) and other sensors, and can also read user privacy data through internal interfaces, such as contacts, SMS, call records, etc. Wait.
  • GPS Global Positioning System
  • the current system architecture of the terminal provides a mechanism for applications (APPs, including third-party APPs, system APPs, etc.) to call a microphone, camera, GPS, and other sensors or applications to perform permission checks when reading user privacy data.
  • applications including third-party APPs, system APPs, etc.
  • some software may use the permission to call the sensor to obtain outside information or read the user's private data at will without the user's knowledge after obtaining the user's relevant permission, resulting in the leakage of user privacy.
  • the embodiment of the present application provides a method and device for processing a call request of a sensitive authority module in a terminal, so as to at least solve the problem in the related art that the software arbitrarily calls the sensor to obtain outside information or reads the user's private data without the user's knowledge.
  • the issue of leakage of user privacy is not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to a call request of a sensitive authority module in a terminal, so as to at least solve the problem in the related art that the software arbitrarily calls the sensor to obtain outside information or reads the user's private data without the user's knowledge.
  • a method for processing a call request of a sensitive permission module in a terminal including: receiving a call request of an application in a terminal to call a sensitive permission module; determining whether the call request meets a predetermined condition , wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, the screen of the terminal is off when the application initiates the call request, and the application initiates the call When the request is in the foreground but the application does not receive a touch operation on the interface of the application within a predetermined period before the call request is initiated; if the call request meets the predetermined condition, the call request A predetermined process is performed, wherein the predetermined process includes at least one of the following: rejecting the call request, issuing a reminder for the call request, and asking whether to allow the call request.
  • an apparatus for processing a call request of a sensitive authority module in a terminal including: a call request receiving module, configured to receive a call request of an application in the terminal to call a sensitive authority module; A module for determining whether the call request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the terminal is when the application initiates the call request Of the screen is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request; the processing module is used to When the call request meets the predetermined condition, perform a predetermined process on the call request, wherein the predetermined process includes at least one of the following: reject the call request, issue a reminder for the call request, and ask whether The call request is allowed.
  • a storage medium in which a computer program is stored, wherein the computer program is set to execute the steps in any one of the above method embodiments during runtime.
  • an electronic device including a memory and a processor, the memory stores a computer program, the processor is configured to run the computer program to perform any of the above The steps in the method embodiment.
  • an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground
  • the call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations.
  • an effective monitoring application for sensitive permission modules can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
  • FIG. 1 is a block diagram of a hardware structure of a mobile terminal of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
  • FIG. 2 is a flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application
  • step S204 is a specific flowchart of step S204 in a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
  • step S204 is another specific flowchart of step S204 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
  • step S206 is a specific flowchart of step S206 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
  • FIG. 6 is a specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application
  • FIG. 7 is another specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application
  • FIG. 8 is a structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application
  • FIG. 9 is a detailed structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a system architecture according to an exemplary embodiment of the present application.
  • FIG. 11 is an overall flowchart according to an exemplary embodiment of the present application.
  • FIG. 13 is a statistical diagram of the use period of microphones and short messages according to an exemplary embodiment of the present application.
  • FIG. 14 is a schematic diagram of an interface for reminding a user after using a microphone in the background of an application according to an exemplary embodiment of the present application.
  • the terminal system for example, Android system, iOS system, etc.
  • a third-party application needs to access sensitive information such as contacts, SMS, or call GPS, Camera, microphone, etc.
  • the system's approach is to pop up a permission application dialog box.
  • the user can choose to allow or deny.
  • Some normal request users will choose to allow (for example, when users use WeChat to send pictures, WeChat requests permission to read photos).
  • this may also cause privacy leakage, because the application for obtaining permissions can have permanent permissions after being authorized by the user (unless the user enters the settings to manually close its permissions).
  • These applications may silently collect user's private data in the background without the user's knowledge.
  • the embodiments of the present application provide a processing solution for the call request of the sensitive authority module in the terminal.
  • the present application will be described in detail with reference to the accompanying drawings and in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments can be combined with each other if there is no conflict.
  • FIG. 1 is a block diagram of a hardware structure of a mobile terminal of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application.
  • the mobile terminal 10 may include one or more (only one is shown in FIG. 1) processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc. ) And a memory 104 for storing data.
  • the above mobile terminal may further include a transmission device 106 for communication functions and an input and output device 108.
  • a transmission device 106 for communication functions may further include a transmission device 106 for communication functions and an input and output device 108.
  • FIG. 1 is merely an illustration, which does not limit the structure of the mobile terminal described above.
  • the mobile terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration from that shown in FIG.
  • the memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as the computer program corresponding to the processing method of the call request of the sensitive authority module in the terminal in the embodiment of the present application, and the processor 102 is stored in the memory 104 by running Within the computer program, to perform various functional applications and data processing, that is, to implement the above method.
  • the memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 104 may include memories remotely provided with respect to the processor 102, and these remote memories may be connected to the mobile terminal 10 through a network. Examples of the above network include but are not limited to the Internet, intranet, local area network, mobile communication network, and combinations thereof.
  • the transmission device 106 is used to receive or send data via a network.
  • the specific example of the network described above may include a wireless network provided by a communication provider of the mobile terminal 10.
  • the transmission device 106 includes a network adapter (Network Interface Controller, referred to as NIC for short), which can be connected to other network devices through the base station to communicate with the Internet.
  • the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.
  • RF Radio Frequency
  • FIG. 2 is a flowchart of a method for processing a call request of a sensitive permission module in a terminal according to an embodiment of the present application, as shown in FIG. 2 As shown, the process includes the following steps.
  • Step S202 Receive a call request for the application in the terminal to call the sensitive authority module.
  • the concept of the sensitive authority module is well known in the art, and it is a series of modules related to user privacy, which can directly or indirectly control the operation of the sensor of the terminal, or read the user data in the terminal, and call these modules Need to perform permission check or permission application.
  • sensitive permission modules include but are not limited to: contact module, short message module, call record module, GPS module, Camera module, microphone module, etc.
  • Step S204 judging whether the call request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the terminal ’s The screen is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request.
  • the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the terminal ’s The screen is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request.
  • Step S206 when the call request meets the predetermined condition, perform a predetermined process on the call request, wherein the predetermined process includes at least one of the following: reject the call request, issue the call request Remind and ask if the call request is allowed.
  • the predetermined processing involved is intended to prevent abnormal calls, thereby preventing leakage of user privacy.
  • To alert the user by asking whether to allow the call request, you can use the Dialog to let the user decide whether to approve the call and give control to the user. When the user agrees, the call request is allowed.
  • the behavior of allowing the call request can be It is allowed for a long time. For security reasons, it may be allowed within a predetermined period of time, for example, to allow the application to call the sensitive permission module within 10 minutes, or only to authorize its use for more than 24 hours to re-authorize.
  • the execution body of the above steps may be a terminal.
  • an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground
  • the call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations.
  • an effective monitoring application for sensitive permission modules can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
  • the framework layer in the terminal receives the call request initiated by the application to call the sensitive permission module, wherein the call request includes one of the following: a call permission check request checkSelfPermission, call permission request requestPermission.
  • the frame layer in the terminal is generally versatile.
  • a simple and convenient method is to add a middleware layer, the middleware layer is a piece of processing code, and the normal processing code of the framework layer can be called by the middle
  • the middleware layer is called in the form of the interface corresponding to the middleware layer.
  • the middleware layer can be used to implement customized processing functions based on the general processing of the framework layer.
  • the middleware layer may include an abnormal call judgment component for performing abnormal call judgment, and may further include information reading for reading information required for abnormal judgment Components, the combination of the two can realize the judgment of abnormal calls, so that by calling the middleware layer on the basis of the framework layer, you can use a very convenient way to achieve abnormal calls without changing the original business logic of the framework. Judgment.
  • the middleware can communicate with the contact module, short message module, GPS module, Camera module, microphone module and so on. For the APP that has been authorized to start calling the privacy module, the middleware layer first makes abnormal call judgment.
  • step S204 the determination is made Whether the call request meets the predetermined condition may include the following steps.
  • Step S2042 The framework layer sends the call information corresponding to the call request to the middleware layer in the terminal, wherein the call information corresponding to the call request may include: the application that initiated the call request , And the judgment result of the framework layer judging whether to allow the call request.
  • step S2044 the middleware layer determines whether the call request meets the predetermined condition according to the call information.
  • the framework layer may change the interface calling behavior of checkSelfPermission or requestPermission to the middle of the terminal
  • the software layer sends the calling information corresponding to the calling request. That is to say, the calling information corresponding to the calling request can be transferred to the middleware layer through the calling interface set in the checkSelfPermission or the requestPermission.
  • step S204 exemplified above is only an example, and this solution can implement the method in this embodiment relatively easily without changing the frame layer.
  • step S204 directly modify the authorization check and application-related processing flow in the framework layer to add abnormal call judgment, for example, directly include a The abnormal call judgment component for judging abnormal calls and the information reading component for reading information required for abnormal judgment can also realize the judgment of abnormal calls.
  • step S204 directly modify the authorization check and application-related processing flow in the framework layer to add abnormal call judgment, for example, directly include a The abnormal call judgment component for judging abnormal calls and the information reading component for reading information required for abnormal judgment can also realize the judgment of abnormal calls.
  • other modules can also be used to implement abnormal call judgment, etc.
  • the specific implementation form of the abnormal call judgment is not limited in this application.
  • FIG. 4 is another specific flowchart of step S204 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application.
  • the frame layer is directed to the middleware layer in the terminal.
  • step S2042 of sending the calling information corresponding to the calling request it also includes one of the following.
  • the framework layer judges whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and the judgment result is If permitted, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
  • the framework layer determines whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and the judgment result is If it is not allowed, the framework layer initiates a requestPermission to the sensitive permission module requested by the checkSelfPermission, and determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module. In the case of, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
  • the framework layer determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module called by the requestPermission, and if the judgment result is automatic In the case of authorization, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
  • FIG. 5 is a specific flowchart of step S206 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 5, step S206 is performed when the call request meets In the case of the predetermined condition, performing the predetermined processing on the call request may include the following steps.
  • Step S2062 the middleware layer returns a judgment result of judging whether the calling request satisfies the predetermined condition to the framework layer.
  • step S2064 the framework layer performs a predetermined process on the call request when the judgment result is that the call request meets the predetermined condition.
  • step S6 is a specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application.
  • the method further includes: step S602, Storing a call record generated by the call request to a database, wherein the call record includes at least one of the following: an identification of the application that initiated the call request, a type of the sensitive authority module called, and a call start Time, the time to end the call, and the duration of the call.
  • the call record generated by the call request may be stored in a database by the middleware layer, and the data that the middleware layer may obtain includes the time when the third-party APP accesses the contact module, the short message module, and the GPS module. Use Camera, microphone call duration, etc.
  • step S602 is another specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 7, after storing the call record generated by the call request in the database in step S602 And also includes the following steps.
  • Step S702 Receive a call record viewing request.
  • Step S704 Read the call record corresponding to the call record view request from the database according to the call record view request, and analyze and / or display the read call record.
  • the following processing can be performed on the collected information: visual analysis of the obtained information (display of histograms, etc.), statistics of the number of visits of contacts, SMS, and GPS; statistics of camera, microphone call duration, user You can view this information at any time. In this way, users can easily know the details of their private data being accessed.
  • step S206 when the call request meets the predetermined condition, the process of performing the predetermined process on the call request may include: The predetermined condition satisfied by the call request determines predetermined processing corresponding to the predetermined condition, and performs the determined predetermined processing on the call request.
  • This correspondence relationship can be set according to requirements, for example, it can be preset before leaving the factory, or can be set by the user.
  • the correspondence between the predetermined condition and the predetermined process may be as follows.
  • the predetermined processing includes at least rejecting the call request.
  • the predetermined process includes at least issuing a reminder or asking whether the call request is allowed for the call request.
  • the predetermined condition includes that the application is in the foreground when the call request is initiated, but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request
  • the predetermined The processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request.
  • an apparatus for processing a call request of a sensitive authority module in a terminal is also provided.
  • the apparatus is used to implement the foregoing embodiment and the preferred embodiments, and descriptions that have already been described will not be repeated.
  • the term "module" may implement a combination of software and / or hardware that performs predetermined functions.
  • the devices described in the following embodiments are implemented in software, implementation of hardware or a combination of software and hardware is also possible and conceived.
  • FIG. 8 is a structural block diagram of an apparatus for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 8, the apparatus includes:
  • the call request receiving module 81 is configured to receive a call request for an application in a terminal to call a sensitive authority module.
  • the determining module 82 is configured to determine whether the calling request meets a predetermined condition, where the predetermined condition includes at least one of the following: the application is in the background when the calling request is initiated, and the application is in the background when the calling request is initiated.
  • the predetermined condition includes at least one of the following: the application is in the background when the calling request is initiated, and the application is in the background when the calling request is initiated.
  • the screen of the terminal is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request.
  • the processing module 83 is configured to perform predetermined processing on the calling request when the calling request meets the predetermined condition, wherein the predetermined processing includes at least one of the following: rejecting the calling request, targeting the The call request issues a reminder, asking if the call request is allowed.
  • an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground
  • the call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations.
  • an effective monitoring application for sensitive permission modules can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
  • FIG. 9 is a detailed structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application.
  • the call request receiving module 81 is located at a frame layer in the terminal for receiving The call request initiated by the application to call the sensitive permission module, wherein the call request includes one of the following: a call permission check request checkSelfPermission, a call permission application request requestPermission.
  • the frame layer in the terminal is generally versatile.
  • a simple and convenient method is to add a middleware layer and call the middleware layer on the basis of the framework layer to realize the judgment of abnormal call.
  • the middleware layer can communicate with the contact module, short message module, GPS module, Camera module, microphone module, etc.
  • the middleware layer first makes abnormal call judgment.
  • the device further includes: an information delivery module 91 located at the frame layer, and used to send the data to the middleware layer located at the terminal.
  • the judging module 82 sends the calling information corresponding to the calling request, the calling information corresponding to the calling request includes: the identification of the application that initiated the calling request, and the framework layer judging whether to allow the calling request critical result.
  • the judgment module 82 is used to judge whether the calling request meets the predetermined condition according to the calling information.
  • the framework layer may change the interface calling behavior of checkSelfPermission or requestPermission to the middle of the terminal
  • the software layer sends the calling information corresponding to the calling request.
  • the information transfer module 91 is used to transfer the call information corresponding to the call request to the judgment module located at the middleware layer through the call interface set in the checkSelfPermission or the requestPermission 82.
  • the system may further include a permission control module 92, which is located at the frame layer in the terminal and used to perform one of the following.
  • the The information transfer module 91 sends the call information corresponding to the call request to the judgment module 82 located in the middleware layer in the terminal.
  • the call request includes the checkSelfPermission, determine whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is not allowed, check The sensitive permission module called by checkSelfPermission initiates requestPermission, and judges whether to automatically authorize the requestPermission according to the type of the sensitive permission module.
  • the judgment result is automatic authorization, the information transfer module 91 is called to The judgment module 82 located in the middleware layer in the terminal sends call information corresponding to the call request.
  • the call request includes the requestPermission
  • determine whether to automatically authorize the requestPermission according to the type of the sensitive permission module requested by the requestPermission and call the request if the judgment result is automatic authorization
  • the information transfer module 91 sends the call information corresponding to the call request to the judgment module 72 located in the middleware layer in the terminal.
  • the processing module 83 may be located at the frame layer of the terminal, and the judgment module 82 is used to judge whether the call request meets the predetermined condition The result is returned to the processing module 83; the processing module 83 is used to perform predetermined processing on the call request if the judgment result is that the call request meets the predetermined condition.
  • the system may further include: a storage module 93, configured to store a call record generated by the call request to a database, wherein the call record includes at least one of the following: the call request is initiated The identification of the application, the type of the sensitive permission module called, the time to start the call, the time to end the call, and the duration of the call.
  • a storage module 93 configured to store a call record generated by the call request to a database, wherein the call record includes at least one of the following: the call request is initiated The identification of the application, the type of the sensitive permission module called, the time to start the call, the time to end the call, and the duration of the call.
  • the call record generated by the call request may be stored in a database by the middleware layer, and the data that the middleware layer may obtain includes the time when the third-party APP accesses the contact module, the SMS module, and the GPS module Use Camera, microphone call duration, etc. Therefore, the storage module may be located at the middleware layer in the terminal.
  • the storage module may be located at the middleware layer in the terminal.
  • a storage module is directly provided in the framework layer, or the function of the storage module is implemented in other modules, which is not limited in this embodiment.
  • the system may further include: a viewing request receiving module 94 for receiving a call record viewing request; an analysis display module 95 for reading the call record viewing request according to the calling record viewing request Call record View the call record corresponding to the request, and analyze and / or display the read call record.
  • a viewing request receiving module 94 for receiving a call record viewing request
  • an analysis display module 95 for reading the call record viewing request according to the calling record viewing request Call record View the call record corresponding to the request, and analyze and / or display the read call record.
  • the following processing can be performed on the collected information: visual analysis of the obtained information (display of histograms, etc.), statistics of the number of visits of contacts, SMS, and GPS; statistics of camera, microphone call duration, user You can view this information at any time. In this way, users can easily know the details of their private data being accessed.
  • the processing module 83 is configured to: according to the predetermined condition that the call request satisfies when the call request meets the predetermined condition The condition determines a predetermined process corresponding to the predetermined condition, and performs the determined predetermined process on the call request.
  • the correspondence between the predetermined condition and the predetermined processing may be as follows: when the predetermined condition includes that the screen of the terminal is off when the application initiates the call request, the The predetermined processing includes at least rejecting the call request; when the predetermined condition includes that the application is in the background when the call request is initiated, the predetermined processing includes at least issuing a reminder or asking whether the call request is allowed for the call request The call request; when the predetermined condition includes that the application is in the foreground when the call request is initiated but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request , The predetermined processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request.
  • the above modules can be implemented by software or hardware, and the latter can be implemented by the following methods, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination The forms are located in different processors.
  • An embodiment of the present application further provides a storage medium in which a computer program is stored, wherein the computer program is configured to execute any of the steps in the above method embodiments during runtime.
  • the above storage medium may include, but is not limited to: a USB flash drive, a read-only memory (Read-Only Memory, ROM for short), a random access memory (Random Access Memory, RAM for short), Various media that can store computer programs, such as removable hard disks, magnetic disks, or optical disks.
  • An embodiment of the present application further provides an electronic device, including a memory and a processor, where the computer program is stored in the memory, and the processor is configured to run the computer program to perform the steps in any one of the foregoing method embodiments.
  • the electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the processor, and the input-output device is connected to the processor.
  • FIG. 10 is a schematic diagram of a system architecture according to an exemplary embodiment of the present application.
  • the system in the terminal includes the following layers: a framework layer 1001, which When it detects that a third-party application checks or requests sensitive permissions (such as access to contacts, SMS, Camera, GPS, microphone, etc.), it communicates with the middleware layer 1002 and passes data to the middleware layer 1002 for judgment.
  • the middleware layer 1002 receives the data from the frame layer 1001, performs abnormal call judgment, and returns the result to the frame layer 1001, and at the same time transfers the corresponding third-party call data to the database layer 1003 for storage.
  • the database layer 1003 receives and processes incoming data from the middleware layer 1002, performs insertion, update, and the like.
  • the data display module 1004 analyzes the data in the database layer 1003 and displays it to the user, which can be displayed in various forms.
  • FIG. 11 is an overall flowchart according to an exemplary embodiment of the present application, and each part involved in FIG. 11 is briefly described below.
  • APP1APP2APP3 refers to third-party applications or independent applications of the system.
  • the contact module, short message module, Camera module, GPS module, and microphone module refer to some sensitive information modules in the mobile phone, including frame layer processing and sensor services, etc., which corresponds to the frame layer 1001 in FIG. 10.
  • the middleware layer corresponds to the middleware layer 1002 in FIG. 10.
  • the database corresponds to the database layer 1003 in FIG.
  • the data display module corresponds to the data display module 1004 of FIG.
  • SMSTYPE 1, // indicates the type of SMS data obtained
  • GPSTYPE // indicates calling GPS data type
  • Boolean isUseStart true; // true--start to use; false--end to use
  • the mobile phone comes with apps or apps downloaded from the third-party market.
  • apps read contacts, SMS data, or open / release Camera, GPS, microphone, and other services, the behavior of these apps will be detected at the frame layer 1001.
  • the processing of the framework layer 1001 is as follows: a request for invoking privacy permission by a third-party application will call the checkSelfPermission method or the requestPermissions method (regardless of whether the APP has obtained permission).
  • the framework layer passes the call information to the middleware layer 1002.
  • the framework layer returns True or False (True indicates that the APP has obtained permission, False indicates that the APP has not obtained permission).
  • the framework layer determines whether the user actively authorizes or the system automatically authorizes, and then the framework layer passes the result to the middleware layer 1002.
  • the return value of the third-party application uid and checkSelfPermission or requestPermissions can be passed into the middleware layer 1002 by modifying the Android SDK SDK checkSelfPermission and requestPermissions interfaces.
  • the processing flow of the middleware layer 1002 is as follows: the middleware layer 1002 judges whether it is an abnormal call, thereby rejecting or approving the request.
  • the middleware layer 1002 judges whether it is an abnormal call, thereby rejecting or approving the request.
  • the processing methods described below belong to one of many feasible processing methods. The list here is only for example and should not be understood as the only processing method. .
  • the third-party application uid can be obtained through the Android standard SDK interface (such as Binder.getCallingUid ()), so as to obtain the specific application package name.
  • FIG. 12 is a flowchart of permission inspection, application, and abnormality judgment according to an exemplary embodiment of the present application. The following provides a combination of the framework layer 1001 and the middleware layer 1002 in several scenarios in conjunction with FIG. Process of judgment.
  • the middleware layer 1002 first determines whether the third-party application is in the foreground or background. If it is in the background, it obtains the application package name and sends a Notification to inform the user that the request has been rejected. In the notification, the user can click to enter the permission list interface of the three-party application; if it is the foreground, it will detect whether the user has a touch event within a few seconds before the request event time. If there is no touch screen event, a Dialog will pop up to prompt the user. Allow or deny buttons. For the foreground application, the package name of the application, the time of querying the data, and the data marked as fetching SMS type are transferred to the database.
  • the detailed parameters are as follows: a) the package name of the third-party application; b) the data type of EnumTYPE.SMSTYPE GPS is GPSTYPE, and the contact is CONTACTTYPE; c) Whether the transfer is started is marked as true; d) The time when the transfer is started is transferred.
  • the middleware layer 1002 also needs to store the usage data in the database.
  • requestPermissions The result returned by requestPermissions is the user's active authorization.
  • the application is in the foreground and the user actively authorizes the SMS access permission.
  • the application can access the SMS normally.
  • the middleware layer 1002 writes the short message access time into the database.
  • step 1.1) is entered.
  • the middleware layer 1002 first determines whether the third-party application is in the foreground or background. If it is in the background, it obtains the application package name and sends a Notification to inform the user that the request has been rejected. In the notification, the user can click to enter the permission list interface of the three-party application; if it is the foreground, it will detect whether the user has a touch event within a few seconds before the request event time. If there is no touch screen event, a Dialog will pop up to remind the user that the user can click Allow or deny buttons.
  • the package name of the application and the time of querying the data and the data marked as fetching SMS type are transferred to the database.
  • the detailed parameters are as follows: a) the package name of the third-party application; b) the data type is EnumTYPE.MICROPHONETYPE, Camera is of CAMERATYPE type; c) whether the transfer start flag is true; d) the transfer start time; e) the transfer end time.
  • the middleware layer 1002 also needs to store the usage data in the database.
  • the result returned by requestPermissions is the user's active authorization.
  • the application is in the foreground and the user actively authorized the microphone access permission.
  • the application can access the microphone normally.
  • the middleware layer 1002 writes the microphone access time into the database.
  • the middleware layer 1002 detects the mobile phone screen extinguishing broadcast event, the current mobile phone screen is marked as off, at this time the middleware layer 1002 can directly refuse permission; the background application authorization can also Use a more flexible approach, such as authorizing only 24 hours (free access within 24 hours, re-authorization is required after 24 hours).
  • the middleware layer 1002 detects a bright screen event, the marked screen is modified to be in use state, and the processing flow at this time is the same as the processing flow in 1 and 2.
  • the processing of the database layer 1003 is as follows: after processing the incoming data of the middle layer, after checking the validity, it is inserted into the database and saved. Receive a query request from the data display layer and feed back the corresponding data to display.
  • the processing of the data display module 1004 is as follows: through various combinations of queries, the data in the database is displayed in the UI in different dimensions, which is convenient for users to analyze and judge, such as: the number of times the APP accesses contacts, SMS, GPS, call Camera, microphone Duration; analysis of an application ’s use of private data in the most recent period; which applications of a certain privacy data or sensor have been used in the most recent period; can set a fixed weekly or monthly push notification bar for analysis data to remind users to view; or discover Which applications frequently use private data to remind users, etc. for a certain period of time.
  • the specific display methods are not listed here one by one.
  • FIG. 13 is a statistical diagram of usage periods of microphones and short messages according to an exemplary embodiment of the present application.
  • the horizontal axis is the time coordinate, indicating 0-24 hours of the day. If the bar is filled with a specific pattern, it indicates that the microphone is used during this time. By using different patterns or colors to distinguish different apps, click to display the specific data used (duration and start and end time). By pinching two fingers together, you can display a week of usage charts. The use of the camera can be displayed in a similar manner to the use of the microphone in FIG. 13.
  • the horizontal axis is the time coordinate, representing 0-24 hours of a day.
  • the rectangular bar shows the number of times the SMS was accessed in a certain period of time.
  • the above is just a display example, and the specific display methods and reminder methods can be various. For example, it can periodically remind the statistics, remind the abnormal behavior data in a certain period of time, etc.
  • FIG. 14 is a schematic diagram of an interface for reminding a user after using a microphone in the background of an application according to an exemplary embodiment of the present application.
  • the terminal can directly refuse the call and use notification to remind the user.
  • an effective monitoring application for sensitive permission modules can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
  • modules or steps of this application can be implemented by a general-purpose computing device, and they can be concentrated on a single computing device or distributed in a network composed of multiple computing devices
  • they can be implemented with program code executable by the computing device, so that they can be stored in the storage device to be executed by the computing device, and in some cases, can be in a different order than here
  • the steps shown or described are performed, or they are made into individual integrated circuit modules respectively, or multiple modules or steps among them are made into a single integrated circuit module to achieve. In this way, this application is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

Provided are a method and apparatus for processing an invocation request for a sensitive permission module in a terminal. The method comprises: receiving an invocation request for invoking a sensitive permission module by an application in a terminal (S202); determining whether the invocation request meets pre-determined conditions, wherein the pre-determined conditions comprise at least one of the following: the application is in the background when initiating the invocation request, the screen of the terminal is in a turned-off state when the application initiates the invocation request, and the application is in the foreground when initiating the invocation request, but a touch operation is not received on an interface of the application within a pre-determined duration before the application initiates the invocation request (S204); and where the invocation request meets the pre-determined conditions, performing pre-determined processing on the invocation request, wherein the pre-determined processing comprises at least one of the following: rejecting the invocation request, issuing a reminder for the invocation request, and inquiring about whether the invocation request is allowed (S206).

Description

终端中敏感权限模块的调用请求的处理方法及装置Method and device for processing call request of sensitive authority module in terminal
交叉引用cross reference
本申请引用于2018年11月05日递交的名称为“终端中敏感权限模块的调用请求的处理方法及装置”的第201811307589.4号中国专利申请,其通过引用被全部并入本申请。This application refers to the Chinese patent application No. 201811307589.4 filed on November 05, 2018, entitled "Processing Method and Apparatus for Calling Requests of Sensitive Rights Modules in Terminals", which is fully incorporated by reference into this application.
技术领域Technical field
本申请涉及但不限于通信领域,尤其涉及一种终端中敏感权限模块的调用请求的处理方法及装置。The present application relates to, but is not limited to, the communication field, and in particular, to a method and device for processing a call request of a sensitive authority module in a terminal.
背景技术Background technique
数据隐私一直用户关注的焦点,但是隐私泄露事件依然时有发生。终端可以通过麦克风、摄像头、全球定位系统(Global Positioning System,简称为GPS)等传感器收集大量的用户隐私数据,还可以通过内部接口读取到用户隐私数据,例如,联系人、短信、通话记录等等。Data privacy has always been the focus of users' attention, but privacy breaches still occur from time to time. The terminal can collect a large amount of user privacy data through microphones, cameras, Global Positioning System (GPS) and other sensors, and can also read user privacy data through internal interfaces, such as contacts, SMS, call records, etc. Wait.
为了保护用户隐私数据,目前终端的系统架构提供了应用(APP,包括第三方APP、系统APP等)调用麦克风、摄像头、GPS等传感器或应用读取用户隐私数据时进行权限检查的机制。然而,有些软件可能会在获取用户相关权限后,在用户不知情的情况下利用该权限随意调用传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露。In order to protect user privacy data, the current system architecture of the terminal provides a mechanism for applications (APPs, including third-party APPs, system APPs, etc.) to call a microphone, camera, GPS, and other sensors or applications to perform permission checks when reading user privacy data. However, some software may use the permission to call the sensor to obtain outside information or read the user's private data at will without the user's knowledge after obtaining the user's relevant permission, resulting in the leakage of user privacy.
发明内容Summary of the invention
本申请实施例提供了一种终端中敏感权限模块的调用请求的处理方法及装置,以至少解决相关技术中软件在用户不知情的情况下随意调用 传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露的问题。The embodiment of the present application provides a method and device for processing a call request of a sensitive authority module in a terminal, so as to at least solve the problem in the related art that the software arbitrarily calls the sensor to obtain outside information or reads the user's private data without the user's knowledge. The issue of leakage of user privacy.
根据本申请的一个实施例,提供了一种终端中敏感权限模块的调用请求的处理方法,包括:接收终端中的应用对敏感权限模块进行调用的调用请求;判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作;在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。According to an embodiment of the present application, a method for processing a call request of a sensitive permission module in a terminal is provided, including: receiving a call request of an application in a terminal to call a sensitive permission module; determining whether the call request meets a predetermined condition , Wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, the screen of the terminal is off when the application initiates the call request, and the application initiates the call When the request is in the foreground but the application does not receive a touch operation on the interface of the application within a predetermined period before the call request is initiated; if the call request meets the predetermined condition, the call request A predetermined process is performed, wherein the predetermined process includes at least one of the following: rejecting the call request, issuing a reminder for the call request, and asking whether to allow the call request.
根据本申请的另一个实施例,提供了一种终端中敏感权限模块的调用请求的处理装置,包括:调用请求接收模块,用于接收终端中的应用对敏感权限模块进行调用的调用请求;判断模块,用于判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作;处理模块,用于在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。According to another embodiment of the present application, there is provided an apparatus for processing a call request of a sensitive authority module in a terminal, including: a call request receiving module, configured to receive a call request of an application in the terminal to call a sensitive authority module; A module for determining whether the call request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the terminal is when the application initiates the call request Of the screen is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request; the processing module is used to When the call request meets the predetermined condition, perform a predetermined process on the call request, wherein the predetermined process includes at least one of the following: reject the call request, issue a reminder for the call request, and ask whether The call request is allowed.
根据本申请的又一个实施例,还提供了一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present application, there is also provided a storage medium in which a computer program is stored, wherein the computer program is set to execute the steps in any one of the above method embodiments during runtime.
根据本申请的又一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present application, there is also provided an electronic device including a memory and a processor, the memory stores a computer program, the processor is configured to run the computer program to perform any of the above The steps in the method embodiment.
通过本申请,在接收到终端中的应用对敏感权限模块进行调用的调用请求后,针对调用请求进行了异常调用的判断,能够监控到应用处于后台、熄屏、或前台未收到用户的触摸操作的情况下发起的调用请求,并相应的执行拒绝、提醒、询问等操作中的一种或多种。通过该方案,可以解决软件在用户不知情的情况下随意调用传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露的问题,达到了有效监控应用对敏感权限模块(例如,可以包括以下至少之一:麦克风模块、摄像头模块、GPS模块、短信模块、联系人模块、通话记录模块等等)的调用的效果,在某些优选实施例中,还能够实现调用数据的记录、分析和展示。Through this application, after receiving the call request of the application in the terminal to call the sensitive permission module, an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground The call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations. Through this solution, it can solve the problem of software arbitrarily calling sensors to obtain external information or reading user privacy data without the user's knowledge, resulting in the leakage of user privacy, and an effective monitoring application for sensitive permission modules (for example, can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
附图说明BRIEF DESCRIPTION
此处所说明的附图用来提供对本申请的进一步理解,构成本申请的一部分,本申请的示意性实施例及其说明用于解释本申请,并不构成对本申请的不当限定。在附图中:The drawings described herein are used to provide a further understanding of the present application and form a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an undue limitation on the present application. In the drawings:
图1是本申请实施例的一种终端中敏感权限模块的调用请求的处理方法的移动终端的硬件结构框图;1 is a block diagram of a hardware structure of a mobile terminal of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图2是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的流程图;2 is a flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图3是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S204的具体流程图;3 is a specific flowchart of step S204 in a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图4是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S204的另一具体流程图;4 is another specific flowchart of step S204 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图5是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S206的具体流程图;5 is a specific flowchart of step S206 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图6是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的具体流程图;6 is a specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图7是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的另一具体流程图;7 is another specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图8是根据本申请实施例的终端中敏感权限模块的调用请求的处理装置的结构框图;8 is a structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图9是根据本申请实施例的终端中敏感权限模块的调用请求的处理装置的详细结构框图;9 is a detailed structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application;
图10是根据本申请示例性实施例的系统架构示意图;10 is a schematic diagram of a system architecture according to an exemplary embodiment of the present application;
图11是根据本申请示例性实施例的整体流程图;11 is an overall flowchart according to an exemplary embodiment of the present application;
图12是根据本申请示例性实施例的权限检查、申请及异常判断的流程图;12 is a flowchart of permission inspection, application, and abnormality judgment according to an exemplary embodiment of the present application;
图13是根据本申请示例性实施例的麦克风和短信的使用时间段统计图;13 is a statistical diagram of the use period of microphones and short messages according to an exemplary embodiment of the present application;
图14是根据本申请示例性实施例的应用后台使用麦克风被阻止后提醒用户的界面的示意图。FIG. 14 is a schematic diagram of an interface for reminding a user after using a microphone in the background of an application according to an exemplary embodiment of the present application.
具体实施例Specific examples
在终端的系统(例如,Android系统,iOS系统等等)当中,第三方应用需要访问联系人、短信或调用GPS、Camera、麦克风等敏感信息时,系统的做法是弹出一个权限申请的对话框,用户可以选择允许或拒绝。有些正常的请求用户会选择允许(比如用户使用微信发图片时,微信请求照片读取权限)。但是,这样也有可能会造成隐私泄露,因为获取权限的应 用在得到用户授权后就可以具有永久的权限(除非用户进入设置手动关闭它的权限)。这些应用有可能在用户不知情的情况下在后台默默的收集用户的隐私数据。In the terminal system (for example, Android system, iOS system, etc.), when a third-party application needs to access sensitive information such as contacts, SMS, or call GPS, Camera, microphone, etc., the system's approach is to pop up a permission application dialog box. The user can choose to allow or deny. Some normal request users will choose to allow (for example, when users use WeChat to send pictures, WeChat requests permission to read photos). However, this may also cause privacy leakage, because the application for obtaining permissions can have permanent permissions after being authorized by the user (unless the user enters the settings to manually close its permissions). These applications may silently collect user's private data in the background without the user's knowledge.
针对以上的问题,本申请的实施例提供了终端中敏感权限模块的调用请求的处理方案,下文中将参考附图并结合实施例来详细说明本申请。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。In view of the above problems, the embodiments of the present application provide a processing solution for the call request of the sensitive authority module in the terminal. Hereinafter, the present application will be described in detail with reference to the accompanying drawings and in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments can be combined with each other if there is no conflict.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms “first” and “second” in the description and claims of the present application and the above drawings are used to distinguish similar objects, and do not have to be used to describe a specific order or sequence.
本申请所提供的方法实施例可以在终端(包括移动终端、计算机终端或者类似的运算装置)中执行。以运行在移动终端上为例,图1是本申请实施例的一种终端中敏感权限模块的调用请求的处理方法的移动终端的硬件结构框图。如图1所示,移动终端10可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存储器104,可选地,上述移动终端还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述移动终端的结构造成限定。例如,移动终端10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiments provided in this application may be executed in a terminal (including a mobile terminal, a computer terminal, or a similar computing device). Taking an example running on a mobile terminal, FIG. 1 is a block diagram of a hardware structure of a mobile terminal of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 1, the mobile terminal 10 may include one or more (only one is shown in FIG. 1) processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc. ) And a memory 104 for storing data. Optionally, the above mobile terminal may further include a transmission device 106 for communication functions and an input and output device 108. A person of ordinary skill in the art may understand that the structure shown in FIG. 1 is merely an illustration, which does not limit the structure of the mobile terminal described above. For example, the mobile terminal 10 may also include more or fewer components than those shown in FIG. 1, or have a different configuration from that shown in FIG.
存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本申请实施例中的终端中敏感权限模块的调用请求的处理方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及数据处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性 存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至移动终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as the computer program corresponding to the processing method of the call request of the sensitive authority module in the terminal in the embodiment of the present application, and the processor 102 is stored in the memory 104 by running Within the computer program, to perform various functional applications and data processing, that is, to implement the above method. The memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may include memories remotely provided with respect to the processor 102, and these remote memories may be connected to the mobile terminal 10 through a network. Examples of the above network include but are not limited to the Internet, intranet, local area network, mobile communication network, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括移动终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。The transmission device 106 is used to receive or send data via a network. The specific example of the network described above may include a wireless network provided by a communication provider of the mobile terminal 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, referred to as NIC for short), which can be connected to other network devices through the base station to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.
在本实施例中提供了一种运行于终端的敏感权限模块的调用请求的处理方法,图2是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的流程图,如图2所示,该流程包括如下步骤。In this embodiment, a method for processing a call request of a sensitive permission module running on a terminal is provided. FIG. 2 is a flowchart of a method for processing a call request of a sensitive permission module in a terminal according to an embodiment of the present application, as shown in FIG. 2 As shown, the process includes the following steps.
步骤S202,接收终端中的应用对敏感权限模块进行调用的调用请求。Step S202: Receive a call request for the application in the terminal to call the sensitive authority module.
敏感权限模块的概念在本领域中是公知的,其是一系列与用户隐私相关的模块,其能够直接或间接的控制终端的传感器运作、或读取终端中的用户数据,对这些模块的调用需要进行权限检查或权限申请。这类敏感权限模块包括但不限于:联系人模块、短信模块、通话记录模块、GPS模块、Camera模块、麦克风模块等等。The concept of the sensitive authority module is well known in the art, and it is a series of modules related to user privacy, which can directly or indirectly control the operation of the sensor of the terminal, or read the user data in the terminal, and call these modules Need to perform permission check or permission application. Such sensitive permission modules include but are not limited to: contact module, short message module, call record module, GPS module, Camera module, microphone module, etc.
步骤S204,判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作。Step S204, judging whether the call request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the terminal ’s The screen is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request.
步骤S206,在所述调用请求满足所述预定条件的情况下,对所述调 用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。Step S206, when the call request meets the predetermined condition, perform a predetermined process on the call request, wherein the predetermined process includes at least one of the following: reject the call request, issue the call request Remind and ask if the call request is allowed.
本步骤中,所涉及的预定处理旨在防止异常调用,从而防止用户隐私泄露。其中,通过拒绝所述调用请求,可以直接阻断拒绝所述应用使用所请求的隐私权限模块;通过针对所述调用请求发出提醒,例如,若在亮屏状态下可以在屏幕上显示提醒信息,还可以辅以声音、指示灯、震动等提醒方式,若在熄屏状态下,可以通过声音、指示灯或震动等方式进行提醒,通过各种形式的notification提示用户存在有异常调用行为的应用,引起用户警觉;通过询问是否允许所述调用请求,可以采用弹出Dialog的方式让用户来决定是否同意调用,将控制权交给用户,当用户同意时,允许调用请求,该允许调用请求的行为可以是长期允许,为了安全起见,也可以是预定时间段内允许,例如,允许10分钟内该应用对该敏感权限模块的调用,或者,只授权其使用24小时超过24小时后要重新授权。In this step, the predetermined processing involved is intended to prevent abnormal calls, thereby preventing leakage of user privacy. Among them, by refusing the call request, you can directly block the application of the requested privacy permission module; by issuing a reminder for the call request, for example, if the screen is in the bright state, you can display reminder information on the screen, It can also be supplemented by sound, indicator light, vibration and other reminder methods. If the screen is off, you can use sound, indicator light or vibration to remind you, and various forms of notification will prompt the user to have an application with abnormal calling behavior. To alert the user; by asking whether to allow the call request, you can use the Dialog to let the user decide whether to approve the call and give control to the user. When the user agrees, the call request is allowed. The behavior of allowing the call request can be It is allowed for a long time. For security reasons, it may be allowed within a predetermined period of time, for example, to allow the application to call the sensitive permission module within 10 minutes, or only to authorize its use for more than 24 hours to re-authorize.
可选地,上述步骤的执行主体可以为终端。Optionally, the execution body of the above steps may be a terminal.
通过上述步骤,在接收到终端中的应用对敏感权限模块进行调用的调用请求后,针对调用请求进行了异常调用的判断,能够监控到应用处于后台、熄屏、或前台未收到用户的触摸操作的情况下发起的调用请求,并相应的执行拒绝、提醒、询问等操作中的一种或多种。通过该方案,可以解决软件在用户不知情的情况下随意调用传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露的问题,达到了有效监控应用对敏感权限模块(例如,可以包括以下至少之一:麦克风模块、摄像头模块、GPS模块、短信模块、联系人模块、通话记录模块等等)的调用的效果,在某些优选实施例中,还能够实现调用数据的记录、分析和展示。Through the above steps, after receiving the call request of the application in the terminal to call the sensitive permission module, an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground The call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations. Through this solution, it can solve the problem of software arbitrarily calling sensors to obtain external information or reading user privacy data without the user's knowledge, resulting in the leakage of user privacy, and an effective monitoring application for sensitive permission modules (for example, can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
终端中应用(包括第三方应用和系统应用)要调用终端中的传感器(例如,GPS、麦克风、摄像头等等)或者读取终端中的敏感用户信息(例 如,读取短信、联系人信息、通话记录等等)时,可以向终端中的框架层检查或申请敏感权限,一般可以通过两种请求来完成。相应地,在步骤S202中,所述终端中的框架层接收所述应用发起的对所述敏感权限模块进行调用的所述调用请求,其中,所述调用请求包括以下之一:调用权限检查请求checkSelfPermission、调用权限申请请求requestPermission。Applications in the terminal (including third-party applications and system applications) need to call sensors in the terminal (for example, GPS, microphone, camera, etc.) or read sensitive user information in the terminal (for example, read SMS, contact information, and call When recording, etc.), you can check or apply sensitive permissions to the framework layer in the terminal, which can generally be completed through two requests. Accordingly, in step S202, the framework layer in the terminal receives the call request initiated by the application to call the sensitive permission module, wherein the call request includes one of the following: a call permission check request checkSelfPermission, call permission request requestPermission.
终端中的框架层作为系统层面的基础框架,一般是具有通用性的。为了在不改变基础框架的前提下实现本申请所述的方法,一种简单、便捷的方法是增加一个中间件层,该中间件层是一段处理代码,框架层正常处理代码可以通过调用该中间件层对应的接口的形式调用该中间件层,中间件层可以用于在框架层的通用处理的基础上,实现定制的处理功能。在本申请的至少一个示例性实施例中,该中间件层可以包括一用于进行异常调用的判断的异常调用判断组件,还可以包括用于读取进行异常判断所需的信息的信息读取组件,二者配合可以实现异常调用的判断,这样,通过在框架层的基础上调用中间件层,就可以在不改变原有框架基础业务逻辑的基础上采用非常便捷的方式来实现异常调用的判断。该中间件能够和联系人模块、短信模块、GPS模块、Camera模块、麦克风模块等进行通信。对于已经被授权的APP启动调用隐私模块,中间件层首先进行异常调用判断。As the basic framework at the system level, the frame layer in the terminal is generally versatile. In order to implement the method described in this application without changing the basic framework, a simple and convenient method is to add a middleware layer, the middleware layer is a piece of processing code, and the normal processing code of the framework layer can be called by the middle The middleware layer is called in the form of the interface corresponding to the middleware layer. The middleware layer can be used to implement customized processing functions based on the general processing of the framework layer. In at least one exemplary embodiment of the present application, the middleware layer may include an abnormal call judgment component for performing abnormal call judgment, and may further include information reading for reading information required for abnormal judgment Components, the combination of the two can realize the judgment of abnormal calls, so that by calling the middleware layer on the basis of the framework layer, you can use a very convenient way to achieve abnormal calls without changing the original business logic of the framework. Judgment. The middleware can communicate with the contact module, short message module, GPS module, Camera module, microphone module and so on. For the APP that has been authorized to start calling the privacy module, the middleware layer first makes abnormal call judgment.
因此,作为一个可选的示例性实施例,如图3的根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S204的具体流程图所示,步骤S204中,判断所述调用请求是否满足预定条件可以包括以下步骤。Therefore, as an optional exemplary embodiment, as shown in the specific flowchart of step S204 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application in FIG. 3, in step S204, the determination is made Whether the call request meets the predetermined condition may include the following steps.
步骤S2042,所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息,其中,所述调用请求对应的所述调用信息可以包括:发起所述调用请求的所述应用的标识,以及所述框架层判断是否允许所述 调用请求的判断结果。Step S2042: The framework layer sends the call information corresponding to the call request to the middleware layer in the terminal, wherein the call information corresponding to the call request may include: the application that initiated the call request , And the judgment result of the framework layer judging whether to allow the call request.
步骤S2044,所述中间件层根据所述调用信息判断所述调用请求是否满足所述预定条件。In step S2044, the middleware layer determines whether the call request meets the predetermined condition according to the call information.
作为一种示例性实施例,由于应用需要调用敏感权限模块时,会向框架层发起checkSelfPermission或requestPermission,所以,所述框架层可以通过改变checkSelfPermission或requestPermission的接口调用行为,向所述终端中的中间件层发送所述调用请求对应的所述调用信息。也就是说,可以通过所述checkSelfPermission或所述requestPermission中设置的调用接口,将所述调用请求对应的所述调用信息传入所述中间件层。As an exemplary embodiment, when an application needs to call a sensitive permission module, it will initiate a checkSelfPermission or requestPermission to the framework layer. Therefore, the framework layer may change the interface calling behavior of checkSelfPermission or requestPermission to the middle of the terminal The software layer sends the calling information corresponding to the calling request. That is to say, the calling information corresponding to the calling request can be transferred to the middleware layer through the calling interface set in the checkSelfPermission or the requestPermission.
本领域技术人员应当理解,以上所举例的步骤S204的实现方式仅仅是一种举例,该方案能够比较简单地实现本实施例中的方法,无需对框架层进行改变。但是,本领域技术人员应当能够想到还有很多种方法能够实现步骤S204,例如,直接修改框架层中的权限检查和申请相关的处理流程以加入异常调用判断,例如,直接在框架层中包括一用于进行异常调用的判断的异常调用判断组件以及用于读取进行异常判断所需的信息的信息读取组件,同样能够实现异常调用的判断。除此之外,本领域技术人员也能够理解,可选地还可以采用其他的模块来实现异常调用判断等等,本申请对异常调用判断的具体实现形式不做限定。Those skilled in the art should understand that the implementation of step S204 exemplified above is only an example, and this solution can implement the method in this embodiment relatively easily without changing the frame layer. However, those skilled in the art should be able to think that there are many ways to implement step S204, for example, directly modify the authorization check and application-related processing flow in the framework layer to add abnormal call judgment, for example, directly include a The abnormal call judgment component for judging abnormal calls and the information reading component for reading information required for abnormal judgment can also realize the judgment of abnormal calls. In addition, those skilled in the art can also understand that, optionally, other modules can also be used to implement abnormal call judgment, etc. The specific implementation form of the abnormal call judgment is not limited in this application.
图4是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S204的另一具体流程图,如图4所示,在所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤S2042之前,还包括以下之一。FIG. 4 is another specific flowchart of step S204 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 4, the frame layer is directed to the middleware layer in the terminal. Before step S2042 of sending the calling information corresponding to the calling request, it also includes one of the following.
2040-1,在所述调用请求包括所述checkSelfPermission的情况下,所述框架层根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为允许的情况下,继续所述框架 层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤。2040-1, in the case where the call request includes the checkSelfPermission, the framework layer judges whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and the judgment result is If permitted, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
2040-2,在所述调用请求包括所述checkSelfPermission的情况下,所述框架层根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为不允许的情况下,所述框架层对所述checkSelfPermission所请求调用的敏感权限模块发起requestPermission,并根据所述敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,继续所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤。2040-2. In the case that the call request includes the checkSelfPermission, the framework layer determines whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and the judgment result is If it is not allowed, the framework layer initiates a requestPermission to the sensitive permission module requested by the checkSelfPermission, and determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module. In the case of, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
2040-3,在所述调用请求包括所述requestPermission的情况下,所述框架层根据所述requestPermission所请求调用的敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,继续所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤。2040-3. In the case where the call request includes the requestPermission, the framework layer determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module called by the requestPermission, and if the judgment result is automatic In the case of authorization, continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
作为一个示例性实施例,图5是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法中步骤S206的具体流程图,如图5所示,步骤S206在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理可以包括以下步骤。As an exemplary embodiment, FIG. 5 is a specific flowchart of step S206 in the method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 5, step S206 is performed when the call request meets In the case of the predetermined condition, performing the predetermined processing on the call request may include the following steps.
步骤S2062,所述中间件层将判断所述调用请求是否满足所述预定条件的判断结果返回给所述框架层。Step S2062, the middleware layer returns a judgment result of judging whether the calling request satisfies the predetermined condition to the framework layer.
步骤S2064,所述框架层在所述判断结果为所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理。In step S2064, the framework layer performs a predetermined process on the call request when the judgment result is that the call request meets the predetermined condition.
图6是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的具体流程图,如图6所示,在步骤S206对所述调用请求执行预定处理之后,还包括:步骤S602,将所述调用请求所产生的调用记录存储 到数据库,其中,所述调用记录包括以下至少之一:发起所述调用请求的所述应用的标识、调用的所述敏感权限模块的类型、开始调用的时间、结束调用的时间、调用持续的时长。6 is a specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 6, after performing predetermined processing on the call request in step S206, the method further includes: step S602, Storing a call record generated by the call request to a database, wherein the call record includes at least one of the following: an identification of the application that initiated the call request, a type of the sensitive authority module called, and a call start Time, the time to end the call, and the duration of the call.
作为一个示例性实施例,可以由中间件层将所述调用请求所产生的调用记录存储到数据库,中间件层可以获取的数据包括第三方APP访问联系人模块、短信模块、GPS模块的时刻,使用Camera、麦克风的调用时长等等。As an exemplary embodiment, the call record generated by the call request may be stored in a database by the middleware layer, and the data that the middleware layer may obtain includes the time when the third-party APP accesses the contact module, the short message module, and the GPS module. Use Camera, microphone call duration, etc.
图7是根据本申请实施例的终端中敏感权限模块的调用请求的处理方法的另一具体流程图,如图7所示,在步骤S602将所述调用请求所产生的调用记录存储到数据库之后,还包括以下步骤。7 is another specific flowchart of a method for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 7, after storing the call record generated by the call request in the database in step S602 And also includes the following steps.
步骤S702,接收调用记录查看请求。Step S702: Receive a call record viewing request.
步骤S704,根据所述调用记录查看请求,从所述数据库中读取所述调用记录查看请求所对应的调用记录,并分析和/或显示读取的所述调用记录。Step S704: Read the call record corresponding to the call record view request from the database according to the call record view request, and analyze and / or display the read call record.
作为一个示例性实施例,对于收集到的信息可以做以下处理:对获取的信息进行可视化分析(柱状图等展示),统计联系人、短信、GPS的访问次数;统计Camera、麦克风调用时长,用户可以随时查看这些信息。这样用户就可以轻松知晓自己的隐私数据被访问的详细情况。As an exemplary embodiment, the following processing can be performed on the collected information: visual analysis of the obtained information (display of histograms, etc.), statistics of the number of visits of contacts, SMS, and GPS; statistics of camera, microphone call duration, user You can view this information at any time. In this way, users can easily know the details of their private data being accessed.
针对于不同种类的异常调用,可以考虑设置不同的预定处理方式,以实现更加灵活多样的异常调用处理方式,提高用户的体验。因此,所述预定条件和所述预定处理之间可以存在对应关系,步骤S206在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理的过程可以包括:根据所述调用请求满足的所述预定条件,确定与所述预定条件相对应的预定处理,并对所述调用请求执行确定的所述预定处理。For different types of exception calls, it may be considered to set different predetermined processing methods, so as to implement a more flexible and diverse method for processing exception calls and improve the user experience. Therefore, there may be a correspondence between the predetermined condition and the predetermined process. In step S206, when the call request meets the predetermined condition, the process of performing the predetermined process on the call request may include: The predetermined condition satisfied by the call request determines predetermined processing corresponding to the predetermined condition, and performs the determined predetermined processing on the call request.
这种对应关系可以根据需求进行设置,例如,可以出厂前预先设置, 也可以由用户进行设置。作为一个示例性的实施例,预定条件和预定处理之间存在的对应关系可以如下。This correspondence relationship can be set according to requirements, for example, it can be preset before leaving the factory, or can be set by the user. As an exemplary embodiment, the correspondence between the predetermined condition and the predetermined process may be as follows.
在所述预定条件包括所述应用发起所述调用请求时所述终端的屏幕处于关闭状态的情况下,所述预定处理至少包括拒绝所述调用请求。When the predetermined condition includes that the screen of the terminal is turned off when the application initiates the call request, the predetermined processing includes at least rejecting the call request.
在所述预定条件包括所述应用发起所述调用请求时处于后台的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求。When the predetermined condition includes that the application is in the background when the call request is initiated, the predetermined process includes at least issuing a reminder or asking whether the call request is allowed for the call request.
在所述预定条件包括所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求。When the predetermined condition includes that the application is in the foreground when the call request is initiated, but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request, the predetermined The processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request.
本领域技术人员应当理解,以上的对应关系仅仅是一个例子,本实施例的方案并不限于此,对应关系应当可以根据实际应用场景或用户需求进行随意设置。Those skilled in the art should understand that the above correspondence is only an example, and the solution in this embodiment is not limited to this. The correspondence should be arbitrarily set according to actual application scenarios or user requirements.
通过以上的实施例的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施例。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, it can also be implemented by hardware, but in many cases the former is A better embodiment. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence or part of contributions to the existing technology, and the computer software products are stored in a storage medium (such as ROM / RAM, magnetic disk, The CD-ROM includes several instructions to enable a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the embodiments of the present application.
在本实施例中还提供了一种终端中敏感权限模块的调用请求的处理装置,该装置用于实现上述实施例及优选实施例,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬 件的组合。尽管以下实施例所描述的装置以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。In this embodiment, an apparatus for processing a call request of a sensitive authority module in a terminal is also provided. The apparatus is used to implement the foregoing embodiment and the preferred embodiments, and descriptions that have already been described will not be repeated. As used below, the term "module" may implement a combination of software and / or hardware that performs predetermined functions. Although the devices described in the following embodiments are implemented in software, implementation of hardware or a combination of software and hardware is also possible and conceived.
图8是根据本申请实施例的终端中敏感权限模块的调用请求的处理装置的结构框图,如图8所示,该装置包括:8 is a structural block diagram of an apparatus for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 8, the apparatus includes:
调用请求接收模块81,用于接收终端中的应用对敏感权限模块进行调用的调用请求。The call request receiving module 81 is configured to receive a call request for an application in a terminal to call a sensitive authority module.
判断模块82,用于判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作。The determining module 82 is configured to determine whether the calling request meets a predetermined condition, where the predetermined condition includes at least one of the following: the application is in the background when the calling request is initiated, and the application is in the background when the calling request is initiated The screen of the terminal is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request.
处理模块83,用于在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。The processing module 83 is configured to perform predetermined processing on the calling request when the calling request meets the predetermined condition, wherein the predetermined processing includes at least one of the following: rejecting the calling request, targeting the The call request issues a reminder, asking if the call request is allowed.
通过上述步骤,在接收到终端中的应用对敏感权限模块进行调用的调用请求后,针对调用请求进行了异常调用的判断,能够监控到应用处于后台、熄屏、或前台未收到用户的触摸操作的情况下发起的调用请求,并相应的执行拒绝、提醒、询问等操作中的一种或多种。通过该方案,可以解决软件在用户不知情的情况下随意调用传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露的问题,达到了有效监控应用对敏感权限模块(例如,可以包括以下至少之一:麦克风模块、摄像头模块、GPS模块、短信模块、联系人模块、通话记录模块等等)的调用的效果,在某些优选实施例中,还能够实现调用数据的记录、分析和展示。Through the above steps, after receiving the call request of the application in the terminal to call the sensitive permission module, an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the user's touch is not received in the foreground The call request initiated in the case of operation, and correspondingly perform one or more of rejection, reminder, query and other operations. Through this solution, it can solve the problem of software arbitrarily calling sensors to obtain external information or reading user privacy data without the user's knowledge, resulting in the leakage of user privacy, and an effective monitoring application for sensitive permission modules (for example, can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
终端中应用(包括第三方应用和系统应用)要调用终端中的传感器 (例如,GPS、麦克风、摄像头等等)或者读取终端中的敏感用户信息(例如,读取短信、联系人信息、通话记录等等)时,可以向终端中的框架层检查或申请敏感权限,一般可以通过两种请求来完成。以下结合图9来详细描述终端中敏感权限模块的调用请求的处理装置在终端系统中的分层处理方式,需要说明的是,该方案仅仅是一种可选的实现方式,不应当被理解为是对本申请的保护范围的限定。Applications in the terminal (including third-party applications and system applications) need to call sensors in the terminal (for example, GPS, microphone, camera, etc.) or read sensitive user information in the terminal (for example, read SMS, contact information, and call When recording, etc.), you can check or apply sensitive permissions to the framework layer in the terminal, which can generally be completed through two requests. The following describes the layered processing method of the call request processing device of the sensitive authority module in the terminal in the terminal system in conjunction with FIG. 9. It should be noted that this solution is only an optional implementation method and should not be understood as It is to limit the scope of protection of this application.
图9是根据本申请实施例的终端中敏感权限模块的调用请求的处理装置的详细结构框图,如图9所示,所述调用请求接收模块81位于所述终端中的框架层,用于接收所述应用发起的对所述敏感权限模块进行调用的所述调用请求,其中,所述调用请求包括以下之一:调用权限检查请求checkSelfPermission、调用权限申请请求requestPermission。FIG. 9 is a detailed structural block diagram of a device for processing a call request of a sensitive authority module in a terminal according to an embodiment of the present application. As shown in FIG. 9, the call request receiving module 81 is located at a frame layer in the terminal for receiving The call request initiated by the application to call the sensitive permission module, wherein the call request includes one of the following: a call permission check request checkSelfPermission, a call permission application request requestPermission.
终端中的框架层作为系统层面的基础框架,一般是具有通用性的。为了在不改变基础框架的前提下实现本申请所述的方法,一种简单、便捷的方法是增加一个中间件层,在框架层的基础上调用中间件层来实现异常调用的判断。该中间件层能够和联系人模块、短信模块、GPS模块、Camera模块、麦克风模块等进行通信。对于已经被授权的APP启动调用隐私模块,中间件层首先进行异常调用判断。As the basic framework at the system level, the frame layer in the terminal is generally versatile. In order to implement the method described in this application without changing the basic framework, a simple and convenient method is to add a middleware layer and call the middleware layer on the basis of the framework layer to realize the judgment of abnormal call. The middleware layer can communicate with the contact module, short message module, GPS module, Camera module, microphone module, etc. For the APP that has been authorized to start calling the privacy module, the middleware layer first makes abnormal call judgment.
因此,作为一个可选的示例性实施例,如图9所示,所述装置还包括:信息传递模块91,位于所述框架层,用于向位于所述终端中的中间件层的所述判断模块82发送所述调用请求对应的调用信息,所述调用请求对应的所述调用信息包括:发起所述调用请求的所述应用的标识,以及所述框架层判断是否允许所述调用请求的判断结果。Therefore, as an optional exemplary embodiment, as shown in FIG. 9, the device further includes: an information delivery module 91 located at the frame layer, and used to send the data to the middleware layer located at the terminal. The judging module 82 sends the calling information corresponding to the calling request, the calling information corresponding to the calling request includes: the identification of the application that initiated the calling request, and the framework layer judging whether to allow the calling request critical result.
所述判断模块82用于根据所述调用信息判断所述调用请求是否满足所述预定条件。The judgment module 82 is used to judge whether the calling request meets the predetermined condition according to the calling information.
作为一种示例性实施例,由于应用需要调用敏感权限模块时,会向 框架层发起checkSelfPermission或requestPermission,所以,所述框架层可以通过改变checkSelfPermission或requestPermission的接口调用行为,向所述终端中的中间件层发送所述调用请求对应的所述调用信息。也就是说,所述信息传递模块91用于通过所述checkSelfPermission或所述requestPermission中设置的调用接口,将所述调用请求对应的所述调用信息传入位于所述中间件层的所述判断模块82。As an exemplary embodiment, when an application needs to call a sensitive permission module, it will initiate a checkSelfPermission or requestPermission to the framework layer. Therefore, the framework layer may change the interface calling behavior of checkSelfPermission or requestPermission to the middle of the terminal The software layer sends the calling information corresponding to the calling request. In other words, the information transfer module 91 is used to transfer the call information corresponding to the call request to the judgment module located at the middleware layer through the call interface set in the checkSelfPermission or the requestPermission 82.
本领域技术人员应当理解,以上所举例的异常调用的监控实现方式仅仅是一种举例,该方案能够比较简单地实现本实施例中的方法,无需对框架层进行改变。但是,本领域技术人员应当能够想到还有很多种方法能够实现异常调用的监控,例如,直接修改框架层中的权限检查和申请相关的处理流程以加入异常调用判断,或者采用其他的模块来实现异常调用判断等等,本申请对此不做限定。Those skilled in the art should understand that the above-mentioned implementation method for monitoring abnormal calls is only an example, and this solution can implement the method in this embodiment relatively easily without changing the framework layer. However, those skilled in the art should be able to think of many ways to monitor abnormal calls, for example, directly modify the permission check and application-related processing flow in the framework layer to add abnormal call judgment, or use other modules to achieve Abnormal call judgment, etc., this application does not limit.
如图9所示,该系统还可以包括权限控制模块92,位于所述终端中的框架层,用于执行以下之一。As shown in FIG. 9, the system may further include a permission control module 92, which is located at the frame layer in the terminal and used to perform one of the following.
在所述调用请求包括所述checkSelfPermission的情况下,根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为允许的情况下,调用所述信息传递模块91向位于所述终端中的中间件层的所述判断模块82发送所述调用请求对应的调用信息。When the call request includes the checkSelfPermission, determine whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is allowed, call the The information transfer module 91 sends the call information corresponding to the call request to the judgment module 82 located in the middleware layer in the terminal.
在所述调用请求包括所述checkSelfPermission的情况下,根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为不允许的情况下,对所述checkSelfPermission所请求调用的敏感权限模块发起requestPermission,并根据所述敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,调用所述信息传递模块91向位于所述终端中的中 间件层的所述判断模块82发送所述调用请求对应的调用信息。When the call request includes the checkSelfPermission, determine whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is not allowed, check The sensitive permission module called by checkSelfPermission initiates requestPermission, and judges whether to automatically authorize the requestPermission according to the type of the sensitive permission module. When the judgment result is automatic authorization, the information transfer module 91 is called to The judgment module 82 located in the middleware layer in the terminal sends call information corresponding to the call request.
在所述调用请求包括所述requestPermission的情况下,根据所述requestPermission所请求调用的敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,调用所述信息传递模块91向位于所述终端中的中间件层的所述判断模块72发送所述调用请求对应的调用信息。When the call request includes the requestPermission, determine whether to automatically authorize the requestPermission according to the type of the sensitive permission module requested by the requestPermission, and call the request if the judgment result is automatic authorization The information transfer module 91 sends the call information corresponding to the call request to the judgment module 72 located in the middleware layer in the terminal.
作为一个示例性实施例,如图9所示,所述处理模块83可以位于所述终端的所述框架层,所述判断模块82用于将判断所述调用请求是否满足所述预定条件的判断结果返回给所述处理模块83;所述处理模块83用于在所述判断结果为所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理。As an exemplary embodiment, as shown in FIG. 9, the processing module 83 may be located at the frame layer of the terminal, and the judgment module 82 is used to judge whether the call request meets the predetermined condition The result is returned to the processing module 83; the processing module 83 is used to perform predetermined processing on the call request if the judgment result is that the call request meets the predetermined condition.
如图9所示,该系统还可以包括:存储模块93,用于将所述调用请求所产生的调用记录存储到数据库,其中,所述调用记录包括以下至少之一:发起所述调用请求的所述应用的标识、调用的所述敏感权限模块的类型、开始调用的时间、结束调用的时间、调用持续的时长。As shown in FIG. 9, the system may further include: a storage module 93, configured to store a call record generated by the call request to a database, wherein the call record includes at least one of the following: the call request is initiated The identification of the application, the type of the sensitive permission module called, the time to start the call, the time to end the call, and the duration of the call.
作为一个示例性实施例,可以由中间件层将所述调用请求所产生的调用记录存储到数据库,中间件层可以获取的数据包括第三方APP访问联系人模块、短信模块、GPS模块的时刻,使用Camera、麦克风的调用时长等等。因此,存储模块可以位于所述终端中的中间件层。但是,本领域技术人员应当可以理解,其也可以通过其他方式实现,例如,直接在框架层中设置存储模块,或者在其他模块中实现存储模块的功能,本实施例对此不做限定。As an exemplary embodiment, the call record generated by the call request may be stored in a database by the middleware layer, and the data that the middleware layer may obtain includes the time when the third-party APP accesses the contact module, the SMS module, and the GPS module Use Camera, microphone call duration, etc. Therefore, the storage module may be located at the middleware layer in the terminal. However, those skilled in the art should understand that it can also be implemented in other ways, for example, a storage module is directly provided in the framework layer, or the function of the storage module is implemented in other modules, which is not limited in this embodiment.
如图9所示,该系统还可以包括:查看请求接收模块94,用于接收调用记录查看请求;分析显示模块95,用于根据所述调用记录查看请求,从所述数据库中读取所述调用记录查看请求所对应的调用记录,并分析和 /或显示读取的所述调用记录。As shown in FIG. 9, the system may further include: a viewing request receiving module 94 for receiving a call record viewing request; an analysis display module 95 for reading the call record viewing request according to the calling record viewing request Call record View the call record corresponding to the request, and analyze and / or display the read call record.
作为一个示例性实施例,对于收集到的信息可以做以下处理:对获取的信息进行可视化分析(柱状图等展示),统计联系人、短信、GPS的访问次数;统计Camera、麦克风调用时长,用户可以随时查看这些信息。这样用户就可以轻松知晓自己的隐私数据被访问的详细情况。As an exemplary embodiment, the following processing can be performed on the collected information: visual analysis of the obtained information (display of histograms, etc.), statistics of the number of visits of contacts, SMS, and GPS; statistics of camera, microphone call duration, user You can view this information at any time. In this way, users can easily know the details of their private data being accessed.
针对于不同种类的异常调用,可以考虑设置不同的预定处理方式,以实现更加灵活多样的异常调用处理方式,提高用户的体验。因此,所述预定条件和所述预定处理之间可以存在对应关系,所述处理模块83用于:在所述调用请求满足所述预定条件的情况下,根据所述调用请求满足的所述预定条件,确定与所述预定条件相对应的预定处理,并对所述调用请求执行确定的所述预定处理。For different types of exception calls, it may be considered to set different predetermined processing methods, so as to implement a more flexible and diverse method for processing exception calls and improve the user experience. Therefore, there may be a correspondence between the predetermined condition and the predetermined processing, and the processing module 83 is configured to: according to the predetermined condition that the call request satisfies when the call request meets the predetermined condition The condition determines a predetermined process corresponding to the predetermined condition, and performs the determined predetermined process on the call request.
这种对应关系可以根据需求进行设置,例如,可以出厂前预先设置,也可以由用户进行设置。作为一个示例性的实施例,预定条件和预定处理之间存在的对应关系可以如下:在所述预定条件包括所述应用发起所述调用请求时所述终端的屏幕处于关闭状态的情况下,所述预定处理至少包括拒绝所述调用请求;在所述预定条件包括所述应用发起所述调用请求时处于后台的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求;在所述预定条件包括所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求。This correspondence relationship can be set according to requirements, for example, it can be preset before leaving the factory, or can be set by the user. As an exemplary embodiment, the correspondence between the predetermined condition and the predetermined processing may be as follows: when the predetermined condition includes that the screen of the terminal is off when the application initiates the call request, the The predetermined processing includes at least rejecting the call request; when the predetermined condition includes that the application is in the background when the call request is initiated, the predetermined processing includes at least issuing a reminder or asking whether the call request is allowed for the call request The call request; when the predetermined condition includes that the application is in the foreground when the call request is initiated but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request , The predetermined processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request.
本领域技术人员应当理解,以上的对应关系仅仅是一个例子,本实施例的方案并不限于此,对应关系应当可以根据实际应用场景或用户需求进行随意设置。Those skilled in the art should understand that the above correspondence is only an example, and the solution in this embodiment is not limited to this. The correspondence should be arbitrarily set according to actual application scenarios or user requirements.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对 于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that the above modules can be implemented by software or hardware, and the latter can be implemented by the following methods, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination The forms are located in different processors.
本申请的实施例还提供了一种存储介质,该存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。An embodiment of the present application further provides a storage medium in which a computer program is stored, wherein the computer program is configured to execute any of the steps in the above method embodiments during runtime.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。Optionally, in this embodiment, the above storage medium may include, but is not limited to: a USB flash drive, a read-only memory (Read-Only Memory, ROM for short), a random access memory (Random Access Memory, RAM for short), Various media that can store computer programs, such as removable hard disks, magnetic disks, or optical disks.
本申请的实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。An embodiment of the present application further provides an electronic device, including a memory and a processor, where the computer program is stored in the memory, and the processor is configured to run the computer program to perform the steps in any one of the foregoing method embodiments.
可选地,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。Optionally, the electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the processor, and the input-output device is connected to the processor.
可选地,本实施例中的具体示例可以参考上述实施例及可选实施例中所描述的示例,本实施例在此不再赘述。Optionally, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and optional embodiments, and details are not repeated herein in this embodiment.
以下的示例性实施例中,结合一些具体应用场景,对本申请实施例的终端中敏感权限模块的调用请求的处理方案进行详细的描述,需要注意的是,以下示例性的描述仅仅用于帮助理解实施例方案,而不应构成对其的不当限定。In the following exemplary embodiments, combined with some specific application scenarios, a detailed description will be given to the processing scheme of the call request of the sensitive authority module in the terminal of the embodiment of the present application. It should be noted that the following exemplary description is only used to help understanding The embodiment scheme should not constitute an undue limitation on it.
首先,对于该示例性实施例所基于的实现架构进行说明,图10是根据本申请示例性实施例的系统架构示意图,如图10所示,终端中的系统包括以下层:框架层1001,其检测到第三方应用检查或请求敏感权限(比如访问联系人,短信,Camera,GPS,麦克风等)时,则与中间件层1002通信,传递数据给中间件层1002进行判断。中间件层1002,其接收来自 框架层1001的数据,进行异常调用判断,并将结果返回给框架层1001,同时会将相应的第三方调用数据传入数据库层1003进行保存。数据库层1003,其接收处理中间件层1002传入的数据,进行插入,更新等。First, the implementation architecture on which the exemplary embodiment is based will be described. FIG. 10 is a schematic diagram of a system architecture according to an exemplary embodiment of the present application. As shown in FIG. 10, the system in the terminal includes the following layers: a framework layer 1001, which When it detects that a third-party application checks or requests sensitive permissions (such as access to contacts, SMS, Camera, GPS, microphone, etc.), it communicates with the middleware layer 1002 and passes data to the middleware layer 1002 for judgment. The middleware layer 1002 receives the data from the frame layer 1001, performs abnormal call judgment, and returns the result to the frame layer 1001, and at the same time transfers the corresponding third-party call data to the database layer 1003 for storage. The database layer 1003 receives and processes incoming data from the middleware layer 1002, performs insertion, update, and the like.
数据展示模块1004,其对数据库层1003中的数据进行分析后,展示给用户,可以用多种表现形式。The data display module 1004 analyzes the data in the database layer 1003 and displays it to the user, which can be displayed in various forms.
以下对该示例性实施例的整体流程进行详细说明。图11是根据本申请示例性实施例的整体流程图,以下对图11中所涉及的各个部分进行简要的说明。The overall flow of this exemplary embodiment is described in detail below. FIG. 11 is an overall flowchart according to an exemplary embodiment of the present application, and each part involved in FIG. 11 is briefly described below.
APP1APP2APP3是指第三方应用或者系统的独立应用。APP1APP2APP3 refers to third-party applications or independent applications of the system.
联系人模块,短信模块,Camera模块,GPS模块,麦克风模块,是指手机中一些敏感信息模块,包括框架层处理及传感器服务等,对应图10的框架层1001。The contact module, short message module, Camera module, GPS module, and microphone module refer to some sensitive information modules in the mobile phone, including frame layer processing and sensor services, etc., which corresponds to the frame layer 1001 in FIG. 10.
中间件层,对应图10的中间件层1002。The middleware layer corresponds to the middleware layer 1002 in FIG. 10.
数据库,对应图10的数据库层1003。The database corresponds to the database layer 1003 in FIG.
数据展示模块,对应图10的数据展示模块1004。The data display module corresponds to the data display module 1004 of FIG.
以下对该示例性实施例中系统的参数假定进行说明。The parameter assumptions of the system in this exemplary embodiment are explained below.
Middleware.class--中间件层服务Middleware.class--Middleware layer service
publicenumEnumTYPE{publicenumEnumTYPE {
SMSTYPE=1,//表示获取短信数据类型SMSTYPE = 1, // indicates the type of SMS data obtained
CONTACTTYPE,//表示获取联系人数据类型CONTACTTYPE, // means get contact data type
CAMERATYPE,//表示调用Camera数据类型CAMERATYPE, // means calling Camera data type
GPSTYPE,//表示调用GPS数据类型GPSTYPE, // indicates calling GPS data type
MICROPHONETYPE;//表示调用麦克风数据类型MICROPHONETYPE; // Indicating the microphone data type
}}
Boolean isUseStart=true;//true--开始使用;false--结束使用Boolean isUseStart = true; // true--start to use; false--end to use
以下详细描述图11中的整体流程图中的基本动作。The basic actions in the overall flowchart in FIG. 11 are described in detail below.
手机自带APP或者第三方市场上下载的APP,当这些APP读取联系人,短信数据,或者打开/释放Camera,GPS,麦克风等服务时,在框架层1001会检测到这些APP的行为。The mobile phone comes with apps or apps downloaded from the third-party market. When these apps read contacts, SMS data, or open / release Camera, GPS, microphone, and other services, the behavior of these apps will be detected at the frame layer 1001.
框架层1001的处理如下:第三方应用请求调用隐私权限会调用checkSelfPermission方法或者requestPermissions方法(无论APP是否已经获取权限)。框架层将调用信息传递给中间件层1002。对于checkSelfPermission方法框架层返回True或False(True表示APP已经获取权限,False表示APP没有获取权限)。对于requestPermissions方法框架层会判断是用户主动授权还是系统自动授权,然后框架层将结果传递给中间件层1002。具体地址,可以通过修改Android SDK checkSelfPermission和requestPermissions接口,将第三方应用uid和checkSelfPermission或者requestPermissions的返回值传入中间件层1002中。The processing of the framework layer 1001 is as follows: a request for invoking privacy permission by a third-party application will call the checkSelfPermission method or the requestPermissions method (regardless of whether the APP has obtained permission). The framework layer passes the call information to the middleware layer 1002. For the checkSelfPermission method, the framework layer returns True or False (True indicates that the APP has obtained permission, False indicates that the APP has not obtained permission). For the requestPermissions method, the framework layer determines whether the user actively authorizes or the system automatically authorizes, and then the framework layer passes the result to the middleware layer 1002. For the specific address, the return value of the third-party application uid and checkSelfPermission or requestPermissions can be passed into the middleware layer 1002 by modifying the Android SDK SDK checkSelfPermission and requestPermissions interfaces.
中间件层1002处理流程如下:中间件层1002进行是否是异常调用的判断,从而进行拒绝或者同意该次请求。这里对一些技术点细节进行说明,需要说明的是,以下所述处理方法属于可行的很多种处理方式中的一种,此处列出仅仅是用于举例,不应当被理解为唯一的处理方式。The processing flow of the middleware layer 1002 is as follows: the middleware layer 1002 judges whether it is an abnormal call, thereby rejecting or approving the request. Here are some technical details. It should be noted that the processing methods described below belong to one of many feasible processing methods. The list here is only for example and should not be understood as the only processing method. .
I)如何获取是哪个APP调用的:可以通过Android标准SDK接口(如:Binder.getCallingUid())获取第三方应用uid,从而获取到具体的应用包名。I) How to obtain which APP is called: The third-party application uid can be obtained through the Android standard SDK interface (such as Binder.getCallingUid ()), so as to obtain the specific application package name.
II)前台和后台APP如何区分:首先通过标准SDK接口查询当前手机运行的所有进程,然后遍历所有进程属性中uid值跟传入的uid值进行判断,如果相等,则读取该进程是否前台还是后台的属性,进而判定返回结果。II) How to distinguish between the foreground and background APP: first query all processes running on the current mobile phone through the standard SDK interface, and then iterate through the uid value and the incoming uid value in all process attributes, if they are equal, read whether the process is in the foreground or The properties of the background, and then determine the return result.
图12是根据本申请示例性实施例的权限检查、申请及异常判断的 流程图,以下结合图12给出几种场景下框架层1001和中间件层1002配合,完成调用权限初步检查以及异常调用的判断的过程。FIG. 12 is a flowchart of permission inspection, application, and abnormality judgment according to an exemplary embodiment of the present application. The following provides a combination of the framework layer 1001 and the middleware layer 1002 in several scenarios in conjunction with FIG. Process of judgment.
1.对于第三方应用查询短信(GPS、联系人过程类似)数据会有以下四种情况。1. For third-party applications to query SMS (GPS, contact process is similar) data will have the following four cases.
1.1)框架层1001针对checkSelfPermission返回值为True,则中间件层1002首先判断第三方应用处于前台还是后台,如果是后台则获取应用包名并发送一个Notification告知用户该请求已经拒绝。在notification中用户可以点击进入三方应用的权限列表界面;如果是前台,则检测用户在请求事件时间之前几秒内是否有触摸事件,如果没有触屏事件的话,则弹出Dialog提示用户,用户可以点击允许或拒绝的按钮。对于前台应用则同时将该应用的包名和查询数据的时间以及标记为获取短信类型数据传递到数据库中,详细参数如下:a)传递第三方应用包名;b)传递数据类型为EnumTYPE.SMSTYPE,GPS为GPSTYPE,联系人为CONTACTTYPE;c)传递是否开始使用标记为true;d)传递开始调用的时间。1.1) The return value of checkSelfPermission by the framework layer 1001 is True, then the middleware layer 1002 first determines whether the third-party application is in the foreground or background. If it is in the background, it obtains the application package name and sends a Notification to inform the user that the request has been rejected. In the notification, the user can click to enter the permission list interface of the three-party application; if it is the foreground, it will detect whether the user has a touch event within a few seconds before the request event time. If there is no touch screen event, a Dialog will pop up to prompt the user. Allow or deny buttons. For the foreground application, the package name of the application, the time of querying the data, and the data marked as fetching SMS type are transferred to the database. The detailed parameters are as follows: a) the package name of the third-party application; b) the data type of EnumTYPE.SMSTYPE GPS is GPSTYPE, and the contact is CONTACTTYPE; c) Whether the transfer is started is marked as true; d) The time when the transfer is started is transferred.
如果用户允许后台应用的操作,中间件层1002同样需要将使用数据存入数据库。If the user allows the operation of the background application, the middleware layer 1002 also needs to store the usage data in the database.
1.2)框架层1001针对checkSelfPermission返回值是False,接着判断requestPermissions结果是用户主动授权还是系统自动授权,然后根据结果进入步骤1.3)或1.4)。1.2) The return value of checkSelfPermission by the framework layer 1001 is False, and then it is determined whether the result of requestPermissions is the user's active authorization or the system's automatic authorization, and then proceeds to step 1.3) or 1.4) according to the result.
1.3)requestPermissions返回结果是用户主动授权,这时候应用处于前台并且用户主动授权了短信访问权限,应用可以正常访问短信。然后中间件层1002将此次短信访问时间写入数据库中。1.3) The result returned by requestPermissions is the user's active authorization. At this time, the application is in the foreground and the user actively authorizes the SMS access permission. The application can access the SMS normally. Then the middleware layer 1002 writes the short message access time into the database.
1.4)requestPermissions返回结果是系统自动授权,这时候进入到步骤1.1)。1.4) The result returned by requestPermissions is automatic authorization by the system, and then step 1.1) is entered.
2.对于第三方应用使用麦克风(Camera情况类似)数据会有以下 四种情况。2. For third-party applications using microphone (Camera situation is similar) data will have the following four cases.
2.1)框架层1001针对checkSelfPermission返回值为True,则中间件层1002首先判断第三方应用处于前台还是后台,如果是后台则获取应用包名并发送一个Notification告知用户该请求已经拒绝。在notification中用户可以点击进入三方应用的权限列表界面;如果是前台,则检测用户在请求事件时间之前几秒内是否有触摸事件,如果没有触屏事件的话,则弹出Dialog提示用户,用户可以点击允许或拒绝的按钮。对于前台应用则同时将该应用的包名和查询数据的时间以及标记为获取短信类型数据传递到数据库中,详细参数如下:a)传递第三方应用包名;b)传递数据类型为EnumTYPE.MICROPHONETYPE,Camera为CAMERATYPE类型;c)传递是否开始使用标记为true;d)传递开始调用的时间;e)传递结束调用的时间。2.1) The return value of checkSelfPermission by the framework layer 1001 is True, then the middleware layer 1002 first determines whether the third-party application is in the foreground or background. If it is in the background, it obtains the application package name and sends a Notification to inform the user that the request has been rejected. In the notification, the user can click to enter the permission list interface of the three-party application; if it is the foreground, it will detect whether the user has a touch event within a few seconds before the request event time. If there is no touch screen event, a Dialog will pop up to remind the user that the user can click Allow or deny buttons. For the foreground application, the package name of the application and the time of querying the data and the data marked as fetching SMS type are transferred to the database. The detailed parameters are as follows: a) the package name of the third-party application; b) the data type is EnumTYPE.MICROPHONETYPE, Camera is of CAMERATYPE type; c) whether the transfer start flag is true; d) the transfer start time; e) the transfer end time.
如果用户允许后台应用的操作,中间件层1002同样需要将使用数据存入数据库。If the user allows the operation of the background application, the middleware layer 1002 also needs to store the usage data in the database.
2.2)框架层1001针对checkSelfPermission返回值是False,接着判断requestPermissions结果是用户主动授权还是系统自动授权,然后根据结果进入步骤2.3)或2.4)。2.2) The return value of checkSelfPermission by the framework layer 1001 is False, and then it is determined whether the result of requestPermissions is the user's active authorization or the system's automatic authorization, and then proceeds to step 2.3) or 2.4) according to the result.
2.3)requestPermissions返回结果是用户主动授权,这时候应用处于前台并且用户主动授权了麦克风访问权限,应用可以正常访麦克风。然后中间件层1002将此次麦克风访问时间写入数据库中。2.3) The result returned by requestPermissions is the user's active authorization. At this time, the application is in the foreground and the user actively authorized the microphone access permission. The application can access the microphone normally. Then the middleware layer 1002 writes the microphone access time into the database.
2.4)requestPermissions返回结果是系统自动授权,这时候进入到步骤1)。2.4) The result returned by requestPermissions is automatic authorization by the system, and then step 1) is entered.
3.对于熄屏调用的情况,当中间件层1002监测到手机熄屏广播事件时,则进行标记当前手机屏幕为关闭状态,此时中间件层1002可以采取直接拒绝权限;后台应用授权也可以采用更为灵活的方式,比如只授 权24小时(在24小时内可以自由访问,24小时之后就需要重新授权)。当中间件层1002监测到亮屏事件时,则修改标记屏幕为使用状态,此时处理流程同1和2中的处理流程。3. In the case of screen extinguishment call, when the middleware layer 1002 detects the mobile phone screen extinguishing broadcast event, the current mobile phone screen is marked as off, at this time the middleware layer 1002 can directly refuse permission; the background application authorization can also Use a more flexible approach, such as authorizing only 24 hours (free access within 24 hours, re-authorization is required after 24 hours). When the middleware layer 1002 detects a bright screen event, the marked screen is modified to be in use state, and the processing flow at this time is the same as the processing flow in 1 and 2.
数据库层1003的处理如下:处理中间层传入的数据,进行有效性检查后,将其插入数据库中保存。接收数据展示层的查询请求,反馈对应的数据给其显示。The processing of the database layer 1003 is as follows: after processing the incoming data of the middle layer, after checking the validity, it is inserted into the database and saved. Receive a query request from the data display layer and feed back the corresponding data to display.
数据展示模块1004的处理如下:通过各种组合查询,不同维度将数据库中的数据在UI中展示出来,方便用户分析和判断,比如:APP访问联系人、短信、GPS的次数,调用Camera,麦克风时长;某个应用最近一段时间内使用隐私数据的分析;某个隐私数据或者传感器最近一段时间有哪些应用进行使用;可以设置固定每周或者每月将分析数据推送通知栏提醒用户查看;或者发现某一段时间段哪些应用多次频繁使用隐私数据提醒用户等。具体展示方式此处不一一列举。The processing of the data display module 1004 is as follows: through various combinations of queries, the data in the database is displayed in the UI in different dimensions, which is convenient for users to analyze and judge, such as: the number of times the APP accesses contacts, SMS, GPS, call Camera, microphone Duration; analysis of an application ’s use of private data in the most recent period; which applications of a certain privacy data or sensor have been used in the most recent period; can set a fixed weekly or monthly push notification bar for analysis data to remind users to view; or discover Which applications frequently use private data to remind users, etc. for a certain period of time. The specific display methods are not listed here one by one.
参照以上的方案,可以实现异常调用的有效监控,从用户角度而言,还可以查看统计信息,从而了解应用调用的情况,发现异常应用。以下给出一个通过用户界面显示调用统计信息的例子。With reference to the above solution, effective monitoring of abnormal calls can be achieved. From the user's perspective, statistical information can also be viewed to understand the status of application calls and find abnormal applications. An example of displaying call statistics through the user interface is given below.
图13是根据本申请示例性实施例的麦克风和短信的使用时间段统计图。FIG. 13 is a statistical diagram of usage periods of microphones and short messages according to an exemplary embodiment of the present application.
以麦克风为例,横轴是时间坐标,表示一天的0-24小时,如果长条被特定图案填充表明这段时间麦克风被使用。通过使用不同的图案或颜色区分不同的APP,点击可以显示使用的具体数据(使用时长和开始结束时刻)。通过双指捏合可以显示一周的使用图。Camera的使用可以采用与图13中麦克风的使用相类似的图来显示。Taking the microphone as an example, the horizontal axis is the time coordinate, indicating 0-24 hours of the day. If the bar is filled with a specific pattern, it indicates that the microphone is used during this time. By using different patterns or colors to distinguish different apps, click to display the specific data used (duration and start and end time). By pinching two fingers together, you can display a week of usage charts. The use of the camera can be displayed in a similar manner to the use of the microphone in FIG. 13.
以短信为例,横轴是时间坐标,表示一天的0-24小时,长方形条显示了某个时间段内短信被访问的次数,通过使用不同的图案区分不同的 APP,点击可以显示使用的具体数据(详细到每次的使用时刻)。通过双指捏合可以显示一周的使用图。联系人、GPS的使用可以采用与图13中短信的使用相类似的图来显示。Taking SMS as an example, the horizontal axis is the time coordinate, representing 0-24 hours of a day. The rectangular bar shows the number of times the SMS was accessed in a certain period of time. By using different patterns to distinguish different APPs, click to display the specific use. Data (detailed to each time of use). By pinching two fingers together, you can display a week of usage charts. The use of contacts and GPS can be displayed using a diagram similar to the use of SMS in FIG. 13.
上面仅仅是展示实例,具体展示方式和提醒方式可以多种多样。比如可以定时统计数据提醒,某时间段异常行为数据提醒等。The above is just a display example, and the specific display methods and reminder methods can be various. For example, it can periodically remind the statistics, remind the abnormal behavior data in a certain period of time, etc.
图14是根据本申请示例性实施例的应用后台使用麦克风被阻止后提醒用户的界面的示意图。如图14所示,后台应用(例如,APP1)的调用或熄屏时应用调用敏感权限模块时,终端可以直接拒绝调用并使用notification提醒用户。FIG. 14 is a schematic diagram of an interface for reminding a user after using a microphone in the background of an application according to an exemplary embodiment of the present application. As shown in FIG. 14, when the background application (for example, APP1) is called or the application calls the sensitive permission module when the screen is turned off, the terminal can directly refuse the call and use notification to remind the user.
综上,通过本申请,在接收到终端中的应用对敏感权限模块进行调用的调用请求后,针对调用请求进行了异常调用的判断,能够监控到应用处于后台、熄屏、或前台未收到用户的触摸操作的情况下发起的调用请求,并相应的执行拒绝、提醒、询问等操作中的一种或多种。通过该方案,可以解决软件在用户不知情的情况下随意调用传感器获取外界信息或随意读取用户隐私数据,造成用户隐私的泄露的问题,达到了有效监控应用对敏感权限模块(例如,可以包括以下至少之一:麦克风模块、摄像头模块、GPS模块、短信模块、联系人模块、通话记录模块等等)的调用的效果,在某些优选实施例中,还能够实现调用数据的记录、分析和展示。In summary, through this application, after receiving the call request of the application in the terminal to call the sensitive permission module, an abnormal call judgment is made for the call request, and it can be monitored that the application is in the background, the screen is turned off, or the foreground is not received The call request initiated in the case of the user's touch operation, and correspondingly perform one or more of the rejection, reminder, query and other operations. Through this solution, it can solve the problem of software arbitrarily calling sensors to obtain external information or reading user privacy data without the user's knowledge, resulting in the leakage of user privacy, and an effective monitoring application for sensitive permission modules (for example, can include At least one of the following: the effect of calling the microphone module, camera module, GPS module, SMS module, contact module, call recording module, etc.), in certain preferred embodiments, the recording, analysis and Show.
显然,本领域的技术人员应该明白,上述的本申请的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本申请不限制于任 何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above-mentioned modules or steps of this application can be implemented by a general-purpose computing device, and they can be concentrated on a single computing device or distributed in a network composed of multiple computing devices Above, optionally, they can be implemented with program code executable by the computing device, so that they can be stored in the storage device to be executed by the computing device, and in some cases, can be in a different order than here The steps shown or described are performed, or they are made into individual integrated circuit modules respectively, or multiple modules or steps among them are made into a single integrated circuit module to achieve. In this way, this application is not limited to any specific combination of hardware and software.
以上所述仅为本申请的优选实施例而已,并不用于限制本申请,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only preferred embodiments of the present application, and are not intended to limit the present application. For those skilled in the art, the present application may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the principles of this application shall be included in the scope of protection of this application.

Claims (23)

  1. 一种终端中敏感权限模块的调用请求的处理方法,包括:A method for processing a call request of a sensitive authority module in a terminal, including:
    接收终端中的应用对敏感权限模块进行调用的调用请求;Receive the call request of the application in the terminal to call the sensitive permission module;
    判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作;Judging whether the calling request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the calling request is initiated, and the screen of the terminal is off when the application initiates the calling request Status, the application is in the foreground when the call request is initiated, but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request;
    在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。When the call request satisfies the predetermined condition, a predetermined process is performed on the call request, wherein the predetermined process includes at least one of the following: rejecting the call request, issuing a reminder for the call request, and asking Whether to allow the call request.
  2. 根据权利要求1所述的方法,其中,接收所述终端中的所述应用对所述敏感权限模块进行调用的所述调用请求包括:The method according to claim 1, wherein the receiving the call request of the application in the terminal to call the sensitive authority module comprises:
    所述终端中的框架层接收所述应用发起的对所述敏感权限模块进行调用的所述调用请求,其中,所述调用请求包括以下之一:调用权限检查请求checkSelfPermission、调用权限申请请求requestPermission。The framework layer in the terminal receives the call request initiated by the application to call the sensitive permission module, where the call request includes one of the following: a call permission check request checkSelfPermission, a call permission application request requestPermission.
  3. 根据权利要求2所述的方法,其中,判断所述调用请求是否满足预定条件包括:The method according to claim 2, wherein determining whether the call request satisfies a predetermined condition includes:
    所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息;The framework layer sends the calling information corresponding to the calling request to the middleware layer in the terminal;
    所述中间件层根据所述调用信息判断所述调用请求是否满足所述预定条件。The middleware layer determines whether the call request meets the predetermined condition according to the call information.
  4. 根据权利要求3所述的方法,其中,所述框架层向所述终端中的中间件层发送所述调用请求对应的所述调用信息包括:The method according to claim 3, wherein the frame layer sending the call information corresponding to the call request to the middleware layer in the terminal includes:
    通过所述checkSelfPermission或所述requestPermission中设置的调用接口,将所述调用请求对应的所述调用信息传入所述中间件层。The calling information corresponding to the calling request is transferred to the middleware layer through the calling interface set in the checkSelfPermission or the requestPermission.
  5. 根据权利要求3或4所述的方法,其中,所述调用请求对应的所述调用信息包括:发起所述调用请求的所述应用的标识,以及所述框架层判断是否允许所述调用请求的判断结果。The method according to claim 3 or 4, wherein the invoking information corresponding to the invoking request includes: an identification of the application that initiated the invoking request, and the framework layer determining whether to allow the invoking request critical result.
  6. 根据权利要求3所述的方法,其中,在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理包括:The method according to claim 3, wherein, in the case where the call request satisfies the predetermined condition, performing predetermined processing on the call request includes:
    所述中间件层将判断所述调用请求是否满足所述预定条件的判断结果返回给所述框架层;The middleware layer returns a judgment result to determine whether the call request meets the predetermined condition to the framework layer;
    所述框架层在所述判断结果为所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理。The framework layer performs predetermined processing on the call request when the result of the judgment is that the call request meets the predetermined condition.
  7. 根据权利要求3-6中任一项所述的方法,其中,在所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息之前,还包括以下之一:The method according to any one of claims 3-6, wherein before the framework layer sends the call information corresponding to the call request to the middleware layer in the terminal, it further includes one of the following:
    在所述调用请求包括所述checkSelfPermission的情况下,所述框架层根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为允许的情况下,继续所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤;In the case where the call request includes the checkSelfPermission, the framework layer judges whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is allowed , Continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal;
    在所述调用请求包括所述checkSelfPermission的情况下,所述框架层根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为不允许的情况下,所述框架层对所述checkSelfPermission所请求调用的敏感权限模块发起requestPermission,并根据所述敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,继续所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤;In the case where the call request includes the checkSelfPermission, the framework layer judges whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is not allowed Next, the framework layer initiates a requestPermission to the sensitive permission module called by the checkSelfPermission, and determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module. Continuing the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal;
    在所述调用请求包括所述requestPermission的情况下,所述框架层根据所述requestPermission所请求调用的敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,继续所述框架层向所述终端中的中间件层发送所述调用请求对应的调用信息的步骤。In the case where the invocation request includes the requestPermission, the framework layer determines whether to automatically authorize the requestPermission according to the type of the sensitive permission module requested by the requestPermission, and when the judgment result is the automatic authorization , Continue the step of the framework layer sending the calling information corresponding to the calling request to the middleware layer in the terminal.
  8. 根据权利要求1所述的方法,其中,在对所述调用请求执行预定处理之后,还包括:The method according to claim 1, wherein after performing predetermined processing on the call request, further comprising:
    将所述调用请求所产生的调用记录存储到数据库,其中,所述调用记录包括以下至少之一:发起所述调用请求的所述应用的标识、调用的所述敏感权限模块的类型、开始调用的时间、结束调用的时间、调用持续的时长。Storing a call record generated by the call request to a database, wherein the call record includes at least one of the following: an identification of the application that initiated the call request, a type of the sensitive authority module called, and a call start Time, the time to end the call, and the duration of the call.
  9. 根据权利要求8所述的方法,其中,将所述调用请求所产生的调用记录存储到数据库之后,还包括:The method according to claim 8, wherein after storing the call record generated by the call request in a database, the method further comprises:
    接收调用记录查看请求;Receive call record viewing request;
    根据所述调用记录查看请求,从所述数据库中读取所述调用记录查看请求所对应的调用记录,并分析和/或显示读取的所述调用记录。According to the call record viewing request, read the call record corresponding to the call record viewing request from the database, and analyze and / or display the read call record.
  10. 根据权利要求1所述的方法,其中,所述预定条件和所述预定处理之间存在对应关系,在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理包括:The method according to claim 1, wherein there is a correspondence between the predetermined condition and the predetermined processing, and when the call request meets the predetermined condition, performing the predetermined processing on the call request includes:
    根据所述调用请求满足的所述预定条件,确定与所述预定条件相对应的预定处理,并对所述调用请求执行确定的所述预定处理。According to the predetermined condition satisfied by the calling request, predetermined processing corresponding to the predetermined condition is determined, and the determined predetermined processing is performed on the calling request.
  11. 根据权利要求10所述的方法,其中,所述预定条件和所述预定处理之间存在的对应关系包括:The method according to claim 10, wherein the correspondence between the predetermined condition and the predetermined processing includes:
    在所述预定条件包括所述应用发起所述调用请求时所述终端的屏幕处于关闭状态的情况下,所述预定处理至少包括拒绝所述调用请求;When the predetermined condition includes that the screen of the terminal is turned off when the application initiates the call request, the predetermined processing includes at least rejecting the call request;
    在所述预定条件包括所述应用发起所述调用请求时处于后台的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求;When the predetermined condition includes that the application is in the background when the calling request is initiated, the predetermined processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request;
    在所述预定条件包括所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作的情况下,所述预定处理至少包括针对所述调用请求发出提醒或询问是否允许所述调用请求。When the predetermined condition includes that the application is in the foreground when the call request is initiated, but the touch operation is not received on the interface of the application within a predetermined time period before the application initiates the call request, the predetermined The processing includes at least issuing a reminder or asking whether the calling request is allowed for the calling request.
  12. 一种终端中敏感权限模块的调用请求的处理装置,包括:A processing device for a call request of a sensitive authority module in a terminal, including:
    调用请求接收模块,用于接收终端中的应用对敏感权限模块进行调用的调用请求;The call request receiving module is used to receive the call request of the application in the terminal to call the sensitive authority module;
    判断模块,用于判断所述调用请求是否满足预定条件,其中,所述预定条件包括以下至少之一:所述应用发起所述调用请求时处于后台、所述应用发起所述调用请求时所述终端的屏幕处于关闭状态、所述应用发起所述调用请求时处于前台但所述应用发起所述调用请求之前的预定时长之内在所述应用的界面上未接收到触摸操作;The judgment module is used to judge whether the call request meets a predetermined condition, wherein the predetermined condition includes at least one of the following: the application is in the background when the call request is initiated, and the application is initiated when the call request is initiated The screen of the terminal is off, the application is in the foreground when the call request is initiated, but no touch operation is received on the interface of the application within a predetermined time period before the application initiates the call request;
    处理模块,用于在所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理,其中,所述预定处理包括以下至少之一:拒绝所述调用请求、针对所述调用请求发出提醒、询问是否允许所述调用请求。A processing module, configured to perform predetermined processing on the calling request when the calling request meets the predetermined condition, wherein the predetermined processing includes at least one of the following: rejecting the calling request, targeting the calling A reminder is requested to ask whether the call request is allowed.
  13. 根据权利要求12所述的装置,其中,所述调用请求接收模块位于所述终端中的框架层,用于接收所述应用发起的对所述敏感权限模块进行调用的所述调用请求,其中,所述调用请求包括以下之一:调用权限检查请求checkSelfPermission、调用权限申请请求requestPermission。The apparatus according to claim 12, wherein the call request receiving module is located at a frame layer in the terminal, and is configured to receive the call request initiated by the application to call the sensitive permission module, wherein, The call request includes one of the following: a call permission check request checkSelfPermission, and a call permission application request requestPermission.
  14. 根据权利要求13所述的装置,其中,所述装置还包括:信息传递模块,位于所述框架层,用于向位于所述终端中的中间件层的所述判断模块发送所述调用请求对应的调用信息;The apparatus according to claim 13, wherein the apparatus further comprises: an information delivery module, located at the frame layer, for sending the call request corresponding to the judgment module located at the middleware layer in the terminal 'S calling information;
    所述判断模块用于根据所述调用信息判断所述调用请求是否满足所述预定条件。The judgment module is used to judge whether the calling request meets the predetermined condition according to the calling information.
  15. 根据权利要求14所述的装置,其中,所述信息传递模块用于通过所述checkSelfPermission或所述requestPermission中设置的调用接口,将所述调用请求对应的所述调用信息传入位于所述中间件层的所述判断模块。The apparatus according to claim 14, wherein the information transfer module is used to transfer the call information corresponding to the call request to the middleware through the call interface set in the checkSelfPermission or the requestPermission The judgment module of the layer.
  16. 根据权利要求14或15所述的装置,其中,所述调用请求对应的所述调用信息包括:发起所述调用请求的所述应用的标识,以及所述框架层判断是否允许所述调用请求的判断结果。The apparatus according to claim 14 or 15, wherein the invocation information corresponding to the invocation request includes: an identification of the application that initiated the invocation request, and the framework layer determining whether to allow the invocation request critical result.
  17. 根据权利要求14所述的装置,其中,所述处理模块位于所述终端的所述框架层,The apparatus according to claim 14, wherein the processing module is located at the frame layer of the terminal,
    所述判断模块用于将判断所述调用请求是否满足所述预定条件的判断结果返回给所述处理模块;The judgment module is used to return a judgment result of judging whether the call request meets the predetermined condition to the processing module;
    所述处理模块用于在所述判断结果为所述调用请求满足所述预定条件的情况下,对所述调用请求执行预定处理。The processing module is configured to perform predetermined processing on the call request when the judgment result is that the call request meets the predetermined condition.
  18. 根据权利要求14-17中任一项所述的装置,其中,还包括权限控制模块,位于所述终端中的框架层,用于执行以下之一:The device according to any one of claims 14-17, further comprising a permission control module, located at a frame layer in the terminal, for performing one of the following:
    在所述调用请求包括所述checkSelfPermission的情况下,根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为允许的情况下,调用所述信息传递模块向位于所述终端中的中间件层的所述判断模块发送所述调用请求对应的调用信息;When the call request includes the checkSelfPermission, determine whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is allowed, call the The information transfer module sends the call information corresponding to the call request to the judgment module located at the middleware layer in the terminal;
    在所述调用请求包括所述checkSelfPermission的情况下,根据系统中记录的所述应用对各敏感权限模块的调用权限判断是否允许所述调用请求,并在判断结果为不允许的情况下,对所述checkSelfPermission所请求调用的敏感权限模块发起requestPermission,并根据所述敏感权限模块的 类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,调用所述信息传递模块向位于所述终端中的中间件层的所述判断模块发送所述调用请求对应的调用信息;When the call request includes the checkSelfPermission, determine whether the call request is allowed according to the call permission of the application for each sensitive permission module recorded in the system, and if the judgment result is not allowed, check The sensitive permission module called by checkSelfPermission initiates requestPermission, and judges whether to automatically authorize the requestPermission according to the type of the sensitive permission module. When the judgment result is automatic authorization, the information transfer module is called to locate The judgment module of the middleware layer in the terminal sends call information corresponding to the call request;
    在所述调用请求包括所述requestPermission的情况下,根据所述requestPermission所请求调用的敏感权限模块的类型判断是否对所述requestPermission进行自动授权,在判断结果为进行自动授权的情况下,调用所述信息传递模块向位于所述终端中的中间件层的所述判断模块发送所述调用请求对应的调用信息。When the call request includes the requestPermission, determine whether to automatically authorize the requestPermission according to the type of the sensitive permission module requested by the requestPermission, and call the request if the judgment result is automatic authorization The information transfer module sends the call information corresponding to the call request to the judgment module located at the middleware layer in the terminal.
  19. 根据权利要求12所述的装置,其中,还包括:The apparatus of claim 12, further comprising:
    存储模块,用于将所述调用请求所产生的调用记录存储到数据库,其中,所述调用记录包括以下至少之一:发起所述调用请求的所述应用的标识、调用的所述敏感权限模块的类型、开始调用的时间、结束调用的时间、调用持续的时长。A storage module, configured to store a call record generated by the call request in a database, wherein the call record includes at least one of the following: an identification of the application that initiated the call request, and the sensitive permission module called Type, time to start the call, time to end the call, and the duration of the call.
  20. 根据权利要求19所述的装置,其中,还包括:The apparatus of claim 19, further comprising:
    查看请求接收模块,用于接收调用记录查看请求;View request receiving module, used to receive call record viewing request;
    分析显示模块,用于根据所述调用记录查看请求,从所述数据库中读取所述调用记录查看请求所对应的调用记录,并分析和/或显示读取的所述调用记录。The analysis and display module is configured to read the call record corresponding to the call record viewing request from the database according to the call record viewing request, and analyze and / or display the read call record.
  21. 根据权利要求12所述的装置,其中,所述预定条件和所述预定处理之间存在对应关系,所述处理模块用于:在所述调用请求满足所述预定条件的情况下,根据所述调用请求满足的所述预定条件,确定与所述预定条件相对应的预定处理,并对所述调用请求执行确定的所述预定处理。The apparatus according to claim 12, wherein there is a correspondence between the predetermined condition and the predetermined processing, and the processing module is configured to: in the case that the call request meets the predetermined condition, according to the The predetermined condition satisfied by the call request determines predetermined processing corresponding to the predetermined condition, and performs the determined predetermined processing on the call request.
  22. 一种存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行所述权利要求1至11任一项中所述的方法。A storage medium in which a computer program is stored, wherein the computer program is configured to execute the method described in any one of claims 1 to 11 when it is run.
  23. 一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行所述权利要求1至11任一项中所述的方法。An electronic device includes a memory and a processor, a computer program is stored in the memory, and the processor is configured to run the computer program to perform the method described in any one of claims 1 to 11.
PCT/CN2019/115828 2018-11-05 2019-11-05 Method and apparatus for processing invocation request for sensitive permission module in terminal WO2020094027A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811307589.4A CN109711141A (en) 2018-11-05 2018-11-05 The processing method and processing device of the call request of sensitive permission module in terminal
CN201811307589.4 2018-11-05

Publications (1)

Publication Number Publication Date
WO2020094027A1 true WO2020094027A1 (en) 2020-05-14

Family

ID=66254866

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/115828 WO2020094027A1 (en) 2018-11-05 2019-11-05 Method and apparatus for processing invocation request for sensitive permission module in terminal

Country Status (2)

Country Link
CN (1) CN109711141A (en)
WO (1) WO2020094027A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109711141A (en) * 2018-11-05 2019-05-03 中兴通讯股份有限公司 The processing method and processing device of the call request of sensitive permission module in terminal
CN111143089B (en) * 2019-12-23 2023-11-07 飞天诚信科技股份有限公司 Method and device for dynamically improving authority of application program calling third party library
CN112100612B (en) * 2020-09-03 2023-06-06 中国联合网络通信集团有限公司 Terminal authority protection method and device and terminal
CN112860637A (en) * 2021-02-05 2021-05-28 广州海量数据库技术有限公司 Method and system for processing log based on audit strategy
CN114489419A (en) * 2022-01-13 2022-05-13 荣耀终端有限公司 Authority control method and electronic equipment
CN115879149B (en) * 2022-12-01 2023-06-30 武汉卓讯互动信息科技有限公司 App privacy compliance safety detection method and detection platform

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544435A (en) * 2013-10-18 2014-01-29 广东欧珀移动通信有限公司 Method and device for preventing secret photography
CN106845208A (en) * 2017-02-13 2017-06-13 北京奇虎科技有限公司 abnormal application control method, device and terminal device
CN106933633A (en) * 2017-03-14 2017-07-07 北京奇虎科技有限公司 Right management method, device and mobile terminal
CN109711141A (en) * 2018-11-05 2019-05-03 中兴通讯股份有限公司 The processing method and processing device of the call request of sensitive permission module in terminal
CN109918930A (en) * 2019-03-11 2019-06-21 维沃移动通信有限公司 A kind of information protecting method and terminal device
CN110191465A (en) * 2019-06-03 2019-08-30 努比亚技术有限公司 Authority control method, mobile terminal and computer readable storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9053230B2 (en) * 2013-01-14 2015-06-09 International Business Machines Corporation Framework and repository for analysis of software products
CN106997433A (en) * 2017-03-22 2017-08-01 西安电子科技大学 A kind of Android system authority management method
CN108549799B (en) * 2018-04-13 2022-02-01 深圳壹账通智能科技有限公司 Android permission management method and device, terminal and computer storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103544435A (en) * 2013-10-18 2014-01-29 广东欧珀移动通信有限公司 Method and device for preventing secret photography
CN106845208A (en) * 2017-02-13 2017-06-13 北京奇虎科技有限公司 abnormal application control method, device and terminal device
CN106933633A (en) * 2017-03-14 2017-07-07 北京奇虎科技有限公司 Right management method, device and mobile terminal
CN109711141A (en) * 2018-11-05 2019-05-03 中兴通讯股份有限公司 The processing method and processing device of the call request of sensitive permission module in terminal
CN109918930A (en) * 2019-03-11 2019-06-21 维沃移动通信有限公司 A kind of information protecting method and terminal device
CN110191465A (en) * 2019-06-03 2019-08-30 努比亚技术有限公司 Authority control method, mobile terminal and computer readable storage medium

Also Published As

Publication number Publication date
CN109711141A (en) 2019-05-03

Similar Documents

Publication Publication Date Title
WO2020094027A1 (en) Method and apparatus for processing invocation request for sensitive permission module in terminal
US20130055387A1 (en) Apparatus and method for providing security information on background process
EP3168747B1 (en) Method and device for monitoring a file in a system partition
US11748522B2 (en) Systems, devices, and methods for prevention of recording content
CN109669730B (en) Process keep-alive method, device, electronic equipment and medium
US11487866B2 (en) Remote permissions monitoring and control
US10447924B2 (en) Camera usage notification
RU2642843C2 (en) Method and device for processing recording contacts
US10686904B2 (en) System and method for pushing smart alerts
EP3226128B1 (en) Method and device for online payment
CN112671897B (en) Access method, device, storage medium, equipment and product of distributed system
CN110956722A (en) Method, equipment and storage medium for alarming abnormity of intelligent lock
EP3328022B1 (en) Managing wireless network connection
CN107276795A (en) Information processing method and device and server and terminal based on container
CN114066370A (en) Inventory service calling method, device, equipment, storage medium and program product
CN113329130B (en) Pseudo virtual telephone number using method, device and server based on Internet
CN113467854B (en) Application program starting method and device, electronic equipment and storage medium
CN106874749A (en) A kind of method and apparatus for managing root authority
CN109409097B (en) Information management method, device and computer readable storage medium
CN112804098A (en) Domain name fault line switching method and device, terminal equipment and storage medium
CN112068975B (en) Information processing method and device
CN109067730B (en) Method and device for managing user account
US11375379B1 (en) Method and apparatus for identifying terminals
CN112235451B (en) Method and device for providing alarm about deleted contact
CN113206772B (en) Method, device, equipment, medium and product for judging correctness of response message

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19881082

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 17.09.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19881082

Country of ref document: EP

Kind code of ref document: A1