WO2020228564A1 - Application service method and device - Google Patents

Application service method and device Download PDF

Info

Publication number
WO2020228564A1
WO2020228564A1 PCT/CN2020/088644 CN2020088644W WO2020228564A1 WO 2020228564 A1 WO2020228564 A1 WO 2020228564A1 CN 2020088644 W CN2020088644 W CN 2020088644W WO 2020228564 A1 WO2020228564 A1 WO 2020228564A1
Authority
WO
WIPO (PCT)
Prior art keywords
target application
service
identification information
application
code segment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/088644
Other languages
French (fr)
Chinese (zh)
Inventor
谢淼
彭艺
刘家豪
李楠
王超
王寅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Publication of WO2020228564A1 publication Critical patent/WO2020228564A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Definitions

  • This application provides an application service method to solve the problems of insecurity and high transmission cost in the existing application data transmission process.
  • This application also relates to an application service device.
  • a service decision result for the feedback data of the target application is obtained according to the feedback data of the target application and the decision model.
  • the service processing unit is used for processing according to the service request of the target application if the judgment result is yes.
  • Fig. 6 is a schematic diagram of an application service device according to a sixth embodiment of the application.
  • the application service method of this application includes the service registration process of the target application, the feedback data processing process, and the online decision process.
  • three embodiments are used to illustrate the three processes one by one.
  • the initial signature information is used to ensure that the service of the target application is registered and the subsequent data processing after registration and the data security during the logout process, and also to ensure the privacy of the user when using the target application. Therefore, during the registration process Need to obtain the initial signature information of the target application.
  • the initial signature information further ensures the security of the service of the target application using the system of this application.
  • a service identification that requires a registered service is generated in a trusted execution environment based on the initial signature information and initial identification information.
  • Passing the initial signature information and initial identification information of the target application into the trusted execution environment may be performed by first storing the initial signature information and initial identification information of the target application in a database in the trusted execution environment;
  • the service ID that needs to be registered is generated, that is, the service ID that needs to be registered is generated according to the initial signature information and initial identification information in the database. For example, if the target application is APP1, register the service APP1FUNC1 in it, first obtain its initial identification information as A1, initial signature information as B1, and the service ID generated from A1 and B1 as D1, then D1 is the service ID of APP1FUNC1.
  • the first step is to obtain the feedback data sample of the target application in the rich execution environment, and the feedback data sample is used to train the model to facilitate the feedback of the user using the target application data processing.
  • the filtering conditions for the feedback data are obtained, the objects that meet the filtering conditions are screened in the object collection, and the objects that meet the filtering conditions are used as candidates.
  • the target application may be to obtain all the services of the target application first, and then sequentially determine whether all the services of the target application have service identifiers. If it exists, it enters the second level of judgment, that is, it is judged whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.
  • the second level of judgment is to judge whether the current identification information of the target application is consistent with the initial identification information when the target application is registered. When it is judged that the target application meets the conditions at the first level, it enters the second level of judgment.
  • the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information.
  • the target application is determined according to the current identification information.
  • at least one code segment is selected from the code of the target application as the code segment of the target application.
  • acquiring the code segment of the target application may be a program of randomly acquiring the target application. While obtaining a section of the target application program, you can also obtain the location of the code section. Since the technology of randomly obtaining application code segments is relatively mature, I won't go into details here.
  • the initial signature information obtaining unit is specifically configured to:
  • the service judgment unit is specifically configured to:
  • At least one code segment is selected from the codes of the target application as the code segment of the target application.
  • the service decision result for the feedback data of the target application is obtained.
  • the service processing unit is specifically configured to:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

An application service method and device. The method comprises: in a rich execution environment, determining whether a registered service exists in a target application, if yes, obtaining a service request of the target application, obtaining the current identification information of the target application according to the service request, and obtaining the current signature information of the target application by means of the current identification information; determining whether the current identification information of the target application is consistent with initial identification information of the target application when being registered; if the current identification information of the target application is consistent with the initial identification information of the target application when being registered, determining, in a trusted execution environment, whether the current signature information of the target application is consistent with initial signature information of the target application when being registered, and if yes, performing processing according to the service request of the target application. By the adoption of the application service method of the present application, whether the current information of the target application is consistent with the initial information at the time of registration is compared, and the service request is processed when the current information and the initial information are consistent, thereby ensuring the security of using a target application service by a user.

Description

一种应用服务方法与装置Application service method and device

本申请要求2019年05月16日递交的申请号为201910411135.X、发明名称为“一种应用服务方法与装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on May 16, 2019 with the application number 201910411135.X and the invention title "An application service method and device", the entire content of which is incorporated into this application by reference.

技术领域Technical field

本申请涉及应用服务领域,具体涉及一种应用服务方法与装置。This application relates to the field of application services, in particular to an application service method and device.

背景技术Background technique

近年来,在终端设备中的人工智能服务越来越多,这些人工智能服务通常需要具有非常良好的个性化功能服务才能获得消费者的青睐。对此,终端设备的制造厂商或者是互联网开发的企业,都希望在终端设备的不同层次(包括操作系统层,框架层,应用层等)提供个性化服务。In recent years, there have been more and more artificial intelligence services in terminal devices. These artificial intelligence services usually require very good personalized functional services to be favored by consumers. In this regard, terminal equipment manufacturers or Internet-developed companies all hope to provide personalized services at different levels of terminal equipment (including operating system layer, framework layer, application layer, etc.).

现在技术中的大部分终端设备的个性化服务都是采取以下的设计思路:首先,获取用户使用终端设备的反馈数据,然后将反馈数据上传至后台服务器,后台服务器根据接收的反馈数据进行建立模型的训练;之后按照训练后的模型将反馈数据进行决策;最终将决策的结果反馈至终端设备,以便于用户接收决策结果。Most of the personalized services of terminal devices in the current technology adopt the following design ideas: first, obtain the feedback data of the user using the terminal device, and then upload the feedback data to the back-end server, and the back-end server builds a model based on the received feedback data After that, the feedback data is used to make decisions according to the trained model; the final result of the decision is fed back to the terminal device so that the user can receive the decision result.

上述现有的个性化服务存在着明显的技术缺陷,首先,这些服务多数需要获取用户的使用与操作日志回传到后台服务器(不限于云服务器),然后构建云端个性化模型,再通过升级软件包或者升级应用程序的方式推回到终端设备中,从而实现个性化服务功能的升级。然而这样的方式不但成本高,同时在一定程度上侵犯用户的个人隐私。即使在终端设备上搭载人工智能芯片,如果个性化服务方案设计存在缺陷,反而容易被黑客利用,导致终端设备的功能无法使用,甚至存在财产、隐私数据损失与泄露的隐患。The above-mentioned existing personalized services have obvious technical defects. First, most of these services need to obtain user usage and operation logs and send them back to back-end servers (not limited to cloud servers), then build a cloud personalized model, and then upgrade the software The package or application upgrade is pushed back to the terminal device to realize the upgrade of personalized service functions. However, this method is not only costly, but also violates the user's personal privacy to a certain extent. Even if the artificial intelligence chip is mounted on the terminal device, if the personalized service plan design has defects, it is easy to be used by hackers, resulting in the unusable functions of the terminal device, and there are even hidden dangers of property and privacy data loss and leakage.

发明内容Summary of the invention

本申请提供一种应用服务方法,以解决现有的应用数据传输过程中不安全以及传输成本高的问题。本申请同时涉及一种应用服务装置。This application provides an application service method to solve the problems of insecurity and high transmission cost in the existing application data transmission process. This application also relates to an application service device.

本申请提供一种应用服务方法,包括:This application provides an application service method, including:

在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前 识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;In a rich execution environment, it is determined whether the target application has a registered service, if so, the service request of the target application is obtained, and the current identification information of the target application is obtained according to the service request, and the current identification information Acquiring the current signature information of the target application; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered;

若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,若是,则根据所述目标应用的服务请求进行处理。If the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application and the initial signature information when the target application is registered If they are consistent, the processing is performed according to the service request of the target application.

可选的,还包括:Optional, also includes:

在富执行环境中,获取目标应用的服务注册请求,根据所述服务注册请求获取所述目标应用的初始识别信息,通过所述初始识别信息获取所述目标应用的初始签名信息;In a rich execution environment, acquiring a service registration request of a target application, acquiring initial identification information of the target application according to the service registration request, and acquiring initial signature information of the target application through the initial identification information;

在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,将所述服务标识返回至所述目标应用。In a trusted execution environment, based on the initial signature information and the initial identification information, a service identification that requires a service to be registered is generated, and the service identification is returned to the target application.

可选的,所述根据所述服务注册请求,获取所述目标应用的初始识别信息,包括:Optionally, the obtaining the initial identification information of the target application according to the service registration request includes:

在高于所述目标应用的权限层获取所述目标应用的识别信息;Acquiring the identification information of the target application at a higher authority level than the target application;

将所述识别信息作为所述目标应用的初始识别信息。The identification information is used as the initial identification information of the target application.

可选的,所述通过所述初始识别信息获取所述目标应用的初始签名信息,包括:Optionally, the obtaining the initial signature information of the target application through the initial identification information includes:

根据所述初始识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and code segment location of the target application according to the initial identification information;

根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息。Obtain the initial signature information of the target application according to the code segment and the location of the code segment.

可选的,所述根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息,包括:Optionally, the obtaining the initial signature information of the target application according to the code segment and the location of the code segment includes:

将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information;

根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information;

将所述代码段的签名信息作为所述目标应用的初始签名信息。Use the signature information of the code segment as the initial signature information of the target application.

可选的,所述根据所述初始识别信息获取所述目标应用的代码段以及代码段位置,包括:Optionally, the obtaining the code segment and the code segment location of the target application according to the initial identification information includes:

根据所述初始识别信息确定所述目标应用;Determining the target application according to the initial identification information;

从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application.

可选的,还包括:Optional, also includes:

判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment;

所述通过所述初始识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the initial identification information includes:

若确定针对所述目标应用具有获取代码段的权限,则通过所述初始识别信息获取所述目标应用的代码段。If it is determined that the target application has the authority to acquire the code segment, the code segment of the target application is acquired through the initial identification information.

可选的,所述在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,包括:Optionally, in the trusted execution environment, according to the initial signature information and the initial identification information, generating a service identifier that requires a registered service includes:

将所述初始签名信息以及所述初始识别信息存储至所述可信执行环境的数据库中;Storing the initial signature information and the initial identification information in the database of the trusted execution environment;

在所述可信执行环境中,生成所述初始签名信息与所述初始识别信息对应的需要注册服务的服务标识。In the trusted execution environment, a service identifier corresponding to the initial signature information and the initial identification information that requires a registered service is generated.

可选的,所述将所述服务标识返回至所述目标应用,包括:Optionally, the returning the service identifier to the target application includes:

在所述富执行环境中,以所述服务标识为索引,储存已注册的所述目标应用的所述初始识别信息与所述初始签名信息;将所述储存在所述富执行环境中的所述服务标识返回至所述目标应用。In the rich execution environment, use the service identifier as an index to store the initial identification information and the initial signature information of the registered target application; store all the information stored in the rich execution environment The service identifier is returned to the target application.

可选的,所述服务注册请求包括以下至少一种信息:Optionally, the service registration request includes at least one of the following information:

所述目标应用中需要注册的服务的名称信息;The name information of the service that needs to be registered in the target application;

针对所述需要注册的服务是否开启数据加密的信息;Whether to enable data encryption for the service that needs to be registered;

针对所述需要注册的服务的数据加密算法信息;Data encryption algorithm information for the service that needs to be registered;

针对所述需要注册的服务的数据解密公钥信息。Decrypt the public key information for the data of the service that needs to be registered.

可选的,所述目标应用的初始识别信息至少包括所述目标应用的唯一识别符,所述唯一识别符为所述目标应用在内核权限层的唯一标识。Optionally, the initial identification information of the target application includes at least a unique identifier of the target application, and the unique identifier is a unique identifier of the target application at the kernel authority layer.

可选的,所述判断所述目标应用是否存在已注册的服务,包括:Optionally, the judging whether the target application has a registered service includes:

获得所述目标应用的所有服务的信息;Obtain information about all services of the target application;

判断所述目标的应用的所有服务是否具有服务标识。Determine whether all services of the target application have service identifiers.

可选的,所述判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致,包括:Optionally, the judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered includes:

在高于所述目标应用的权限层获取所述目标应用的识别信息,将所述识别信息作为所述目标应用的当前识别信息;Acquiring the identification information of the target application at a higher authority level than the target application, and using the identification information as the current identification information of the target application;

获取所述目标应用注册时的初始识别信息;Acquiring initial identification information when the target application is registered;

判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。It is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

可选的,所述在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,包括:Optionally, the judging whether the current signature information of the target application in the trusted execution environment is consistent with the initial signature information when the target application is registered includes:

根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息;Acquiring the current signature information of the target application according to the current identification information of the target application;

获取所述目标应用注册时的初始签名信息;Acquiring initial signature information when the target application is registered;

判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致。It is determined whether the current signature information of the target application is consistent with the initial signature information when the target application is registered.

可选的,所述根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息,包括:Optionally, the acquiring the current signature information of the target application according to the current identification information of the target application includes:

根据所述当前识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and the code segment location of the target application according to the current identification information;

根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息。Obtain the current signature information of the target application according to the code segment and the location of the code segment.

可选的,所述根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息,包括:Optionally, the obtaining the current signature information of the target application according to the code segment and the position of the code segment includes:

将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information;

根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information;

将所述代码段的签名信息作为所述目标应用的当前签名信息。Use the signature information of the code segment as the current signature information of the target application.

可选的,所述根据所述当前识别信息获取所述目标应用的代码段以及代码段位置,包括:Optionally, the obtaining the code segment and the code segment location of the target application according to the current identification information includes:

根据所述当前识别信息确定所述目标应用;Determining the target application according to the current identification information;

从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application.

可选的,还包括:Optional, also includes:

判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment;

所述通过所述当前识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the current identification information includes:

若确定针对所述目标应用具有获取代码段的权限,则通过所述当前识别信息获取所述目标应用的代码段。If it is determined that the target application has the authority to acquire the code segment, the code segment of the target application is acquired through the current identification information.

可选的,所述获取目标应用的服务请求,包括:Optionally, the obtaining the service request of the target application includes:

在富执行环境中,获取目标应用的反馈数据样本;将所述获取目标应用的反馈数据样本作为所述获取的目标应用的服务请求;In a rich execution environment, obtain feedback data samples of the target application; use the obtained feedback data samples of the target application as the service request of the obtained target application;

所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型;将所述获得的服务决策结果的决策模型作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, training a decision model for obtaining service decision results according to the feedback data of the target application according to the feedback data sample; The decision model of the service decision result is taken as the processing result.

可选的,还包括:Optional, also includes:

在所述富执行环境中,获取所述目标应用的反馈数据;In the rich execution environment, obtaining feedback data of the target application;

在所述可信执行环境中,根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。In the trusted execution environment, a service decision result for the feedback data of the target application is obtained according to the feedback data of the target application and the decision model.

可选的,还包括:Optional, also includes:

在所述可信执行环境中,将所述目标应用的反馈数据存储至数据库;In the trusted execution environment, storing the feedback data of the target application in a database;

判断所述反馈数据是否采集完毕,若判断结果为是,删除所述数据库的所有反馈数据;Determine whether the collection of the feedback data is completed, and if the result of the determination is yes, delete all the feedback data in the database;

根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.

可选的,还包括:Optional, also includes:

判断所述反馈数据是否加密,若是,则将所述反馈数据进行解密;Determine whether the feedback data is encrypted, and if so, decrypt the feedback data;

所述根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果,包括:The obtaining a service decision result for the feedback data of the target application according to the feedback data of the target application and the decision model includes:

根据解密后的所述反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the decrypted feedback data and the decision model, a service decision result for the feedback data of the target application is obtained.

可选的,所述获取目标应用的服务请求,包括:Optionally, the obtaining the service request of the target application includes:

在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象,获取所述目标应用的决策请求;将所述获取所述目标应用的决策请求作为所述获取的目标应用的服务请求;In a rich execution environment, the feedback data of the target application is obtained, candidate objects are obtained according to the feedback data, and the decision request of the target application is obtained; the decision request of obtaining the target application is taken as the obtained target application Request for service;

所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果;将所述获得的决策结果作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and according to the candidate object And the decision model to obtain a decision result; and use the obtained decision result as a processing result.

可选的,所述根据所述反馈数据获得候选对象,包括:Optionally, the obtaining candidate objects according to the feedback data includes:

获取所述反馈数据对应的对象集合;Obtaining a set of objects corresponding to the feedback data;

获得针对所述反馈数据的筛选条件,在所述对象集合筛选出符合所述筛选条件的对象,将所述符合所述筛选条件的对象作为候选对象。A filter condition for the feedback data is obtained, objects meeting the filter condition are selected from the object set, and the objects meeting the filter condition are used as candidate objects.

可选的,所述根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,包括:Optionally, the obtaining a decision model used to obtain a decision result according to the candidate object according to the decision request of the target application includes:

获取所述决策请求中包含的服务标识;Acquiring the service identifier included in the decision request;

以所述服务标识为索引获得所述决策模型。Obtain the decision model using the service identifier as an index.

可选的,所述根据所述候选对象和所述决策模型,获得决策结果,包括:Optionally, the obtaining a decision result according to the candidate object and the decision model includes:

根据所述决策模型对所述候选对象的每一个元素进行评分,获得评分结果;Scoring each element of the candidate object according to the decision model to obtain a scoring result;

根据所述评分结果对所述每一个元素进行排序,获得排序结果;Sorting each element according to the scoring result to obtain a sorting result;

将所述评分结果以及排序结果作为决策结果。The scoring result and the ranking result are used as the decision result.

对应地,本申请还提供一种应用服务装置,包括:Correspondingly, this application also provides an application service device, including:

服务判断单元,用于在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judging unit is used to judge whether the target application has a registered service in the rich execution environment, if so, obtain the service request of the target application, and obtain the current identification information of the target application according to the service request, Obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is If the initial identification information when the target application is registered is consistent, it is determined in a trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered;

服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is used for processing according to the service request of the target application if the judgment result is yes.

本申请还提供一种终端,包括:This application also provides a terminal, including:

服务判断单元,用于在所述终端中的富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在所述终端中的可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judging unit is used to judge whether the target application has a registered service in the rich execution environment in the terminal, if so, obtain the service request of the target application, and obtain the current target application according to the service request Identification information, obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application If the information is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment in the terminal whether the current signature information of the target application is consistent with the initial signature information when the target application is registered;

服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is used for processing according to the service request of the target application if the judgment result is yes.

与现有技术相比,本申请具有以下优点:Compared with the prior art, this application has the following advantages:

本申请提供一种应用服务方法,包括:在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据服务请求获取目标应用的当前识别信息,通过当前识别信息获取目标应用的当前签名信息;判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致;若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据目标应用的服务请求进行处理。采用本申请的应用服务方法,通过比较目标应用的当前信息与注册时的初始信息是否一致,并在一致时对服务请求进行处理,从而为使用本申请的服务的目标应用提供安全保障,以防目标应用的服务在传输数据过程中被篡改,从而保证用户使用目标应用的服务的安全。This application provides an application service method, including: in a rich execution environment, judging whether the target application has a registered service, if so, obtaining the service request of the target application, obtaining the current identification information of the target application according to the service request, and passing The current identification information obtains the current signature information of the target application; determines whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, then In the trusted execution environment, it is judged whether the current signature information of the target application is consistent with the initial signature information when the target application is registered, and if so, it is processed according to the service request of the target application. Using the application service method of this application, by comparing whether the current information of the target application is consistent with the initial information at the time of registration, and processing the service request when they are consistent, the security guarantee is provided for the target application using the service of this application to prevent The service of the target application is tampered with during data transmission, so as to ensure the safety of the user using the service of the target application.

在本申请进一步改进的技术方案中,在使用本申请的应用服务之前,还需要对所述 应用进行注册,在注册本申请的目标应用的服务时,所采用的目标应用的初始识别信息是在高于所述目标应用的权限层获取的,因此进一步降低了在使用该目标应用的服务传输数据时数据被篡改的可能性。In the further improved technical solution of this application, before using the application service of this application, the application needs to be registered. When registering the service of the target application of this application, the initial identification information of the target application used is It is higher than the permission level of the target application, which further reduces the possibility of data tampering when using the service of the target application to transmit data.

附图说明Description of the drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments described in this application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings.

图1为本申请实施例一的应用服务方法的流程图;FIG. 1 is a flowchart of an application service method according to Embodiment 1 of the application;

图2为本申请实施例二的应用的服务注册方法的流程图;FIG. 2 is a flowchart of the service registration method of the application in the second embodiment of the application;

图3为本申请实施例三的针对目标应用的反馈数据的处理方法的流程图;3 is a flowchart of a method for processing feedback data for a target application according to Embodiment 3 of the application;

图4为本申请实施例四的在线决策的方法的流程图;FIG. 4 is a flowchart of the online decision-making method according to the fourth embodiment of the application;

图5为本申请实施例五的应用的服务注销方法的流程图;FIG. 5 is a flowchart of a service deregistration method of an application according to Embodiment 5 of this application;

图6为本申请实施例六的应用服务装置的示意图;Fig. 6 is a schematic diagram of an application service device according to a sixth embodiment of the application;

图7为本申请实施例八的一种终端的示意图;FIG. 7 is a schematic diagram of a terminal according to Embodiment 8 of this application;

图8为本申请实施例九的用于应用服务的系统的组件示意图。FIG. 8 is a schematic diagram of components of a system for application services according to Embodiment 9 of the present application.

具体实施方式Detailed ways

在下面的描述中阐述了很多具体细节以便于充分理解本申请。但是本申请能够以很多不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本申请内涵的情况下做类似推广,因此,本申请不受下面公开的具体实施的限制。In the following description, many specific details are explained in order to fully understand this application. However, this application can be implemented in many other ways different from those described herein, and those skilled in the art can make similar promotion without violating the connotation of this application. Therefore, this application is not limited by the specific implementation disclosed below.

本申请提供一种应用服务方法与装置,以下为具体实施例:This application provides an application service method and device. The following are specific embodiments:

如图1所示,其为本申请实施例一的应用服务方法实施例的流程图。所述方法包括如下步骤。As shown in FIG. 1, it is a flowchart of an application service method embodiment in Embodiment 1 of the present application. The method includes the following steps.

步骤S101:在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据服务请求获取目标应用的当前识别信息,通过当前识别信息获取目标应用的当前签名信息;判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S101: In the rich execution environment, determine whether the target application has a registered service, if so, obtain the service request of the target application, obtain the current identification information of the target application according to the service request, and obtain the current identification information of the target application through the current identification information. Signature information: Determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

步骤S102:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据目标应用的服务请求进行处理。Step S102: If the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered, and if so, then Process according to the service request of the target application.

本申请的应用服务方法包括目标应用的服务注册过程、反馈数据处理过程以及在线决策过程,在下述描述中,分别以三个实施例对三个过程进行一一说明。The application service method of this application includes the service registration process of the target application, the feedback data processing process, and the online decision process. In the following description, three embodiments are used to illustrate the three processes one by one.

如图2所示,其为本申请实施例二的应用服务方法的服务注册实施例的流程图。所述方法包括如下步骤。As shown in FIG. 2, it is a flowchart of a service registration embodiment of the application service method of the second embodiment of the application. The method includes the following steps.

步骤S201:在富执行环境中,获取目标应用的服务注册请求,根据服务注册请求获取目标应用的初始识别信息,通过初始识别信息获取目标应用的初始签名信息。Step S201: In the rich execution environment, obtain the service registration request of the target application, obtain the initial identification information of the target application according to the service registration request, and obtain the initial signature information of the target application through the initial identification information.

在采用本实施例的应用的服务注册方法注册应用的服务时,首先获取目标应用的服务注册请求,服务注册请求包括以下至少一种信息:目标应用中需要注册的服务的名称信息,针对需要注册的服务是否开启数据加密的信息,针对需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息。When the application service registration method of this embodiment is used to register the service of the application, the service registration request of the target application is first obtained. The service registration request includes at least one of the following information: the name information of the service that needs to be registered in the target application, The information about whether to enable data encryption for the service, the data encryption algorithm information for the service that needs to be registered, and the public key information for the data decryption of the service that needs to be registered.

以目标应用的一个服务采用该实施例的方法注册为例,假设目标应用为APP1,在实际中,APP1的服务功能可能多种多样。以其中某一服务注册为例,可以将目标应用中需要注册的服务的名称信息放置在服务注册请求,这样以便于确定是目标应用的哪个服务功能将要注册本实施例的方法。为了保证采用本实施例的方法注册后,在后续传输该目标应用的数据过程中数据免去被篡改的风险,还可以将针对需要注册的服务是否开启数据加密的信息一同放置在服务注册请求中。同样地,如果将开启数据加密的信息放置在服务注册请求中,还可同时将针对需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息一同放置在服务注册请求中。Taking the registration of a service of the target application using the method of this embodiment as an example, assuming that the target application is APP1, in practice, the service functions of APP1 may be diverse. Taking a certain service registration as an example, the name information of the service that needs to be registered in the target application can be placed in the service registration request, so as to determine which service function of the target application will register with the method of this embodiment. In order to ensure that after registering with the method of this embodiment, the data is free from the risk of tampering during the subsequent transmission of the target application's data, it is also possible to put information on whether data encryption is enabled for the service that needs to be registered in the service registration request. . Similarly, if the information to enable data encryption is placed in the service registration request, the data encryption algorithm information for the service that needs to be registered and the data decryption public key information for the service that needs to be registered can also be placed in the service registration request. .

具体地,服务注册请求可以是包含上述服务的名称信息、针对需要注册的服务是否开启数据加密的信息、需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息的请求串信息。由于加密、解密以及加密所涉及的算法已经在现有技术中研究的程度较为成熟,此处不再赘述。Specifically, the service registration request may include the name information of the aforementioned service, information about whether to enable data encryption for the service that needs to be registered, data encryption algorithm information of the service that needs to be registered, and a request for data decryption public key information for the service that needs to be registered String information. Since the algorithms involved in encryption, decryption, and encryption have been studied to a relatively mature degree in the prior art, they will not be repeated here.

之后,根据服务注册请求,获取目标应用的初始识别信息。具体地,获得目标应用的初始识别信息可以是在高于目标应用的权限层获取目标应用的识别信息,将高于目标应用的权限层的识别信息作为目标应用的初始识别信息。高于目标的权限层可以是运行该目标应用的系统的内核层,或者是系统的其他层,此处可以理解的是,只要高于目标 应用的权限层即可,当然,在本实施例中,这里的系统是指本申请的用来注册、注销以及服务目标应用的服务的系统。需要说明的是,此部分的目标应用的初始识别信息可以是目标应用在用来注册、注销以及服务目标应用的服务的系统中的唯一识别符,例如可以是目标应用在该系统内核权限层的唯一标识。After that, according to the service registration request, the initial identification information of the target application is obtained. Specifically, obtaining the initial identification information of the target application may be obtaining the identification information of the target application at a higher authority level than the target application, and using the identification information higher than the authority level of the target application as the initial identification information of the target application. The permission layer higher than the target can be the kernel layer of the system running the target application, or other layers of the system. It can be understood here that as long as it is higher than the permission layer of the target application, of course, in this embodiment , The system here refers to the system used for registration, deregistration and services of the target application in this application. It should be noted that the initial identification information of the target application in this part can be the unique identifier of the target application in the system used to register, deregister, and serve the service of the target application. For example, it can be the target application's unique identifier in the system kernel authority layer. Uniquely identifies.

在获取目标应用的识别信息之后,根据初始识别信息获取目标应用的初始签名信息,具体地可通过以下的描述方式获得初始签名信息。After acquiring the identification information of the target application, the initial signature information of the target application is acquired according to the initial identification information. Specifically, the initial signature information can be acquired by the following description.

首先,根据初始识别信息获取目标应用的代码段以及代码段位置。First, obtain the code segment and code segment location of the target application according to the initial identification information.

之后,根据代码段以及所述代码段位置获得目标应用的初始签名信息。具体地,作为根据代码段以及代码段位置获得目标应用的初始签名信息的方式之一,可以是将代码段与代码段位置拼接,获得拼接后的代码信息,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的初始签名信息。Afterwards, the initial signature information of the target application is obtained according to the code segment and the location of the code segment. Specifically, as one of the ways to obtain the initial signature information of the target application according to the code segment and the position of the code segment, the code segment can be spliced with the position of the code segment to obtain the spliced code information, and the signature information of the code segment is calculated by the HASH algorithm , Use the signature information of the code segment as the initial signature information of the target application.

在本实施例中,初始签名信息是用来保证目标应用的服务在注册以及注册之后的后续数据处理以及注销过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在注册过程中需要获得目标应用的初始签名信息。在此处,初始签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the initial signature information is used to ensure that the service of the target application is registered and the subsequent data processing after registration and the data security during the logout process, and also to ensure the privacy of the user when using the target application. Therefore, during the registration process Need to obtain the initial signature information of the target application. Here, the initial signature information further ensures the security of the service of the target application using the system of this application.

为获取目标应用的代码段,在根据初始识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据初始识别信息确定目标应用。例如,在多个应用同时注册服务时,在此处假如有三个应用要注册服务,三个应用依次为APP1,APP2以及APP3,那么对应三个应用肯定会存在各自的初始识别信息。假设APP1的初始识别信息为A1,APP2的初始识别信息为A2,APP3的初始识别信息为A3,那么当A1在获取目标应用的代码段以及代码段位置时,这里可以推测是要获取APP1的代码段以及代码段位置。同样的道理,当A2在获取目标应用的代码段以及代码段位置时,推测是要获取APP2的代码段以及代码段位置;以此类推,当A3在获取目标应用的代码段以及代码段位置时,推测是要获取APP3的代码段以及代码段位置。In order to obtain the code segment of the target application, when obtaining the code segment of the target application and the location of the code segment according to the initial identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the initial identification information. For example, when multiple applications register for services at the same time, if there are three applications to register for services here, and the three applications are APP1, APP2, and APP3 in sequence, then there must be respective initial identification information for the three applications. Assuming that the initial identification information of APP1 is A1, the initial identification information of APP2 is A2, and the initial identification information of APP3 is A3, then when A1 is acquiring the code segment of the target application and the location of the code segment, it can be inferred here to obtain the code of APP1 Segment and code segment location. In the same way, when A2 is obtaining the code segment and code segment location of the target application, it is speculated to obtain the code segment and code segment location of APP2; and so on, when A3 is obtaining the code segment and code segment location of the target application , Presumably, to get the code segment and code segment location of APP3.

在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再赘述。After determining the target application of the code segment to be obtained, at least one code segment is selected from the code of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be a program of randomly acquiring the target application. While acquiring a section of the target application program, the location corresponding to the code section can also be acquired. Since the technology of randomly obtaining application code segments is relatively mature, I won't go into details here.

在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过初始识别信息获取目标应用的代码段。In this embodiment, before obtaining the code segment of the target application, it is necessary to determine whether the target application has the permission to obtain the code segment; if it is determined that the target application has the permission to obtain the code segment, the code of the target application is obtained through the initial identification information. segment.

具体地,采用本实施例的方法对目标应用的服务进行注册时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断该实施例中服务的注册方法的执行主体判断当前的目标应用具有获取代码段的权限,则通过初始识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, when using the method of this embodiment to register the service of the target application, in order to ensure that the code segment of the target application can be obtained, before obtaining the code segment of the target application, it is necessary to determine whether the target application has the authority to obtain the code segment. The judgment process here is to ensure the smooth acquisition of the code segment of the target application. For example, if it is judged that the execution subject of the service registration method in this embodiment judges that the current target application has the authority to obtain the code segment, the code segment of the target application is obtained through the initial identification information; otherwise, the code segment of the target application cannot be obtained.

步骤S202:在可信执行环境中,根据初始签名信息以及初始识别信息,生成需要注册服务的服务标识,将所述服务标识返回至所述目标应用。Step S202: In the trusted execution environment, according to the initial signature information and the initial identification information, generate a service identifier that requires a registered service, and return the service identifier to the target application.

在步骤S201获取初始签名信息与初始识别信息之后,在可信执行环境中根据初始签名信息以及初始识别信息,生成需要注册服务的服务标识。After obtaining the initial signature information and initial identification information in step S201, a service identification that requires a registered service is generated in a trusted execution environment based on the initial signature information and initial identification information.

具体地,上述生成服务标识的方式可以按照以下的描述方式。Specifically, the foregoing manner of generating the service identifier may be in the manner described below.

首先,将目标应用的初始签名信息以及初始识别信息传入可信执行环境中。在本实施例的步骤S201中已提及富执行环境,本步骤中涉及可信执行环境,二者共同构成本实施例用来注册服务的操作系统。富执行环境,一般指不可信运行环境,例如常见的Android操作系统;而可信执行环境指特定的由硬件隔离的运行环境,虽然较富执行环境安全,但是存储与计算资源有限。因此本实施例中执行服务注册方法的操作系统将二者结合,一部分的步骤在富执行环境执行,而另外一部分步骤在可信执行环境中执行,以此保证数据传输的高安全性与高运算速率。First, the initial signature information and initial identification information of the target application are passed into the trusted execution environment. The rich execution environment has been mentioned in step S201 of this embodiment, and this step involves a trusted execution environment, and the two together constitute the operating system used to register the service in this embodiment. A rich execution environment generally refers to an untrusted operating environment, such as a common Android operating system; and a trusted execution environment refers to a specific hardware-isolated operating environment. Although a richer execution environment is safer, storage and computing resources are limited. Therefore, the operating system that executes the service registration method in this embodiment combines the two, some of the steps are executed in a rich execution environment, and some of the steps are executed in a trusted execution environment, so as to ensure high security and high computing for data transmission. rate.

将目标应用的初始签名信息以及初始识别信息传入可信执行环境中可以是先将目标应用的初始签名信息以及初始识别信息存储至所述可信执行环境中的数据库中;然后在所述可信执行环境中,生成需要注册服务的服务标识,即根据数据库中的初始签名信息以及初始识别信息生成需要注册服务的服务标识。例如目标应用假如为APP1,对其中的服务APP1FUNC1进行注册,首先获取其初始识别信息为A1,初始签名信息为B1,根据A1与B1生成的服务标识为D1,则D1即为APP1FUNC1的服务标识。Passing the initial signature information and initial identification information of the target application into the trusted execution environment may be performed by first storing the initial signature information and initial identification information of the target application in a database in the trusted execution environment; In the letter execution environment, the service ID that needs to be registered is generated, that is, the service ID that needs to be registered is generated according to the initial signature information and initial identification information in the database. For example, if the target application is APP1, register the service APP1FUNC1 in it, first obtain its initial identification information as A1, initial signature information as B1, and the service ID generated from A1 and B1 as D1, then D1 is the service ID of APP1FUNC1.

之后,将服务标识返回至目标应用。After that, the service ID is returned to the target application.

在可信执行环境生成目标应用服务的服务标识后,需将服务标识返回至目标应用,以便对目标应用完成注册的服务进行标识。After the service identification of the target application service is generated by the trusted execution environment, the service identification needs to be returned to the target application in order to identify the service registered by the target application.

具体地,将服务标识返回至目标应用的其中一种方式可以是:首先,在富执行环境中,以服务标识为索引,储存已注册的目标应用的初始识别信息与初始签名信息;之后将储存在富执行环境中的服务标识返回至所目标应用。Specifically, one of the ways to return the service identifier to the target application may be: first, in the rich execution environment, use the service identifier as an index to store the initial identification information and initial signature information of the registered target application; The service identifier in the rich execution environment is returned to the target application.

上述以服务标识为索引,储存已注册的目标应用的初始识别信息与初始签名信息,是将已注册的服务标识与目标应用的相关信息先建立联系,之后通过建立的相关联系将服务标识返回至目标应用。The above mentioned service identification is used as an index to store the initial identification information and initial signature information of the registered target application. The registered service identification and the related information of the target application are first established, and then the service identification is returned to Target application.

采用本实施例的应用的服务注册方法,能够通过目标应用的初始识别信息与初始签名信息获得目标应用的服务对应的服务标识,从而为使用本申请的服务的目标应用提供安全保障,以防目标应用的服务在传输数据过程中被篡改,从而保证用户使用目标应用的服务的安全。Using the service registration method of the application of this embodiment, the service identification corresponding to the service of the target application can be obtained through the initial identification information and initial signature information of the target application, thereby providing security guarantee for the target application using the service of this application to prevent the target The service of the application is tampered with in the process of data transmission, so as to ensure the safety of the user using the service of the target application.

上述实施例二是对应用服务方法的服务注册的说明,继注册之后,本申请还提供一种针对目标应用的反馈数据的处理方法,如图3所示,其为本申请实施例三的针对目标应用服务方法的反馈数据的处理方法实施例的流程图。所述方法包括如下步骤。The second embodiment above is an explanation of the service registration of the application service method. After registration, this application also provides a processing method for the feedback data of the target application, as shown in FIG. 3, which is the target application of the third embodiment of the application. A flowchart of an embodiment of a method for processing feedback data of the target application service method. The method includes the following steps.

步骤S301:在富执行环境中,获取目标应用的反馈数据样本,判断目标应用是否存在已注册的服务,若存在,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S301: In the rich execution environment, obtain the feedback data sample of the target application, determine whether the target application has a registered service, and if so, determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

若采取本实施例提供的方法对目标应用的反馈数据进行处理,首先是在富执行环境中获取目标应用的反馈数据样本,反馈数据样本用于训练模型,以便于对用户使用该目标应用的反馈数据处理。If the method provided in this embodiment is used to process the feedback data of the target application, the first step is to obtain the feedback data sample of the target application in the rich execution environment, and the feedback data sample is used to train the model to facilitate the feedback of the user using the target application data processing.

在对反馈数据样本训练模型之前,首先对目标应用的服务进行服务注册的判断,判断过程是为了保证用户数据的安全,本实施例的判断分为三个层次,三个层次的判断在下述的描述中依次进行说明。Before training the model on the feedback data sample, first perform a service registration judgment on the service of the target application. The judgment process is to ensure the security of user data. The judgment in this embodiment is divided into three levels. The three levels of judgment are as follows The descriptions are given in order.

第一层次的判断,判断目标应用中是否具有已注册的服务。The first level of judgment is to judge whether there are registered services in the target application.

作为判断目标应用中是否具有已注册的服务的方式之一,可以是先获得目标应用的所有服务,然后依次判断目标的应用的所有服务是否具有服务标识。As one of the ways to determine whether the target application has registered services, it may be to obtain all the services of the target application first, and then sequentially determine whether all the services of the target application have service identifiers.

由于在实施例二中已经提及,注册成功的服务均在富执行环境中存在服务标识,因此可按照判断目标应用中是否存在具有服务标识的服务来初步判断服务的注册情形。当然,在第一层次的判断中,若在目标应用的所有服务中均无注册的服务标识,则直接退出此目标应用的判断过程。若存在,则进入第二层次的判断,即判断目标应用的当前识 别信息与目标应用注册时的初始识别信息是否一致。Since it has been mentioned in the second embodiment that all successfully registered services have a service identifier in the rich execution environment, the registration situation of the service can be preliminarily determined according to whether there is a service with a service identifier in the target application. Of course, in the first level of judgment, if there is no registered service identifier in all services of the target application, the judgment process of this target application is directly exited. If it exists, it enters the second level of judgment, that is, whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

第二层次的判断,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。The second level of judgment is to judge whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

在第一层次判断目标应用符合条件时,进入第二层次的判断。When it is judged that the target application meets the conditions at the first level, it enters the second level of judgment.

在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始识别信息,因此经过第一层次的判断符合条件时,便可在富执行环境中提取当前目标应用注册时的初始识别信息。As mentioned in the second embodiment, a successfully registered service has initial identification information in the rich execution environment during the registration process. Therefore, after the first level of judgment meets the conditions, the current target application registration can be extracted in the rich execution environment The initial identification information at the time.

同样地,当判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致时,必然也可以根据当前的目标应用在富执行环境中确定当前的目标应用的当前识别信息。类似于实施例二获取初始识别信息的方式,获取当前目标应用的当前识别信息可以按照同样的方式,即在高于当前目标应用的权限层获取当前目标应用的识别信息,将识别信息作为当前目标应用的当前识别信息。Similarly, when judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered, the current identification information of the current target application can be determined in a rich execution environment based on the current target application. Similar to the method of obtaining the initial identification information in the second embodiment, the current identification information of the current target application can be obtained in the same way, that is, the identification information of the current target application is obtained at a higher authority level than the current target application, and the identification information is used as the current target The current identification information of the application.

在获取当前识别信息与初始识别信息后,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。例如,APP1注册服务时的初始识别信息为A1,若当前识别信息也为A1,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致;APP1注册服务时的初始识别信息为A1,若当前识别信息也为A01,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息不一致。After obtaining the current identification information and the initial identification information, it is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered. For example, the initial identification information when APP1 registers for the service is A1. If the current identification information is also A1, it is determined that the current identification information of the target application is consistent with the initial identification information when the target application is registered; the initial identification information when APP1 registers for the service is A1 If the current identification information is also A01, it is determined that the current identification information of the target application is inconsistent with the initial identification information when the target application is registered.

步骤S302:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。Step S302: If the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered, and if so, then Train a decision model based on feedback data samples to obtain service decision results based on the feedback data of the target application.

在步骤S301中,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则进入第三层次的判断,即判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。In step S301, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application is registered, the third level of judgment is entered, that is, whether the current signature information of the target application and the initial signature information when the target application is registered are determined Consistent.

第三层次的判断,判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。The third level of judgment is to judge whether the current signature information of the target application is consistent with the initial signature information when the target application is registered.

在第二层次判断目标应用符合条件时,进入第三层次的判断。When the target application meets the conditions at the second level, it enters the third level of judgment.

同样地,在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始签名信息,因此经过第二层次的判断符合条件时,便可在富执行环境中提取当前 目标应用注册时的初始签名信息。Similarly, as mentioned in the second embodiment, a successfully registered service has initial signature information in the rich execution environment during the registration process. Therefore, after the second level of judgment meets the conditions, the current signature information can be extracted in the rich execution environment. The initial signature information when the target application is registered.

当在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致时,必然也可以根据当前的目标应用的当前识别信息在富执行环境中确定当前的目标应用的当前签名信息。类似于实施例二获取初始签名信息的方式,获取当前目标应用的当前签名信息可以按照同样的方式,即根据目标应用的当前识别信息获取目标应用的当前签名信息。When judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, the current identification information of the target application can be used to determine the current target application in the rich execution environment. Current signature information. Similar to the method of obtaining the initial signature information in the second embodiment, the current signature information of the current target application can be obtained in the same manner, that is, the current signature information of the target application is obtained according to the current identification information of the target application.

作为根据目标应用的当前识别信息获取目标应用的当前签名信息的一种方式,首先根据当前识别信息获取目标应用的代码段以及代码段位置,之后根据代码段以及所述代码段位置获得目标应用的当前签名信息。As a way to obtain the current signature information of the target application according to the current identification information of the target application, first obtain the code segment and the code segment location of the target application according to the current identification information, and then obtain the target application's signature information according to the code segment and the code segment location. Current signature information.

具体地,作为根据代码段以及代码段位置获得目标应用的当前签名信息的方式之一,可以是将代码段与代码段位置拼接,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的当前签名信息。Specifically, as one of the ways to obtain the current signature information of the target application according to the code segment and the position of the code segment, the code segment can be spliced with the position of the code segment, the signature information of the code segment is calculated by the HASH algorithm, and the signature information of the code segment As the current signature information of the target application.

在本实施例中,当前签名信息是用来保证目标应用的服务在数据处理过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在数据处理过程中需要获得目标应用的当前签名信息。在此处,当前签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the current signature information is used to ensure the data security of the target application's service during data processing, and also to ensure the privacy of the user when using the target application. Therefore, the current signature of the target application needs to be obtained during data processing. Signature information. Here, the current signature information further ensures the security of the service of the target application using the system of this application.

为获取目标应用的代码段,在根据当前识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据当前识别信息确定目标应用。例如,在多个应用同时处理数据时,假设有三个应用要处理数据,三个应用依次为APP1,APP2以及APP3,那么对应三个应用肯定会存在各自的当前识别信息。假设APP1的当前识别信息为A1,APP2的当前识别信息为A2,APP3的当前识别信息为A3,那么当A1在获取目标应用的代码段以及代码段位置时,这里可以推测是要获取APP1的代码段以及代码段位置。同样的道理,当A2在获取目标应用的代码段以及代码段位置时,推测是要获取APP2的代码段以及代码段位置;以此类推,当A3在获取目标应用的代码段以及代码段位置时,推测是要获取APP3的代码段以及代码段位置。In order to obtain the code segment of the target application, when obtaining the code segment and the code segment location of the target application according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. For example, when multiple applications are processing data at the same time, suppose there are three applications to process data, and the three applications are APP1, APP2, and APP3 in turn, then there must be respective current identification information corresponding to the three applications. Assuming that the current identification information of APP1 is A1, the current identification information of APP2 is A2, and the current identification information of APP3 is A3, then when A1 is acquiring the code segment of the target application and the position of the code segment, it can be inferred here to obtain the code of APP1 Segment and code segment location. In the same way, when A2 is obtaining the code segment and code segment location of the target application, it is speculated to obtain the code segment and code segment location of APP2; and so on, when A3 is obtaining the code segment and code segment location of the target application , Presumably, to get the code segment and code segment location of APP3.

在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再 赘述。After determining the target application of the code segment to be obtained, at least one code segment is selected from the code of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be a program of randomly acquiring the target application. While acquiring a section of the target application program, the location corresponding to the code section can also be acquired. Since the technology of randomly obtaining application code segments is relatively mature, I won't repeat it here.

在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段。In this embodiment, before obtaining the code segment of the target application, it is necessary to determine whether the target application has the permission to obtain the code segment; if it is determined that the target application has the permission to obtain the code segment, the code of the target application is obtained through the current identification information. segment.

具体地,采用本实施例的方法对目标应用的服务进行注册之后的数据处理时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断当前的目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, when using the method of this embodiment to perform data processing after registration of the service of the target application, in order to ensure that the code segment of the target application can be obtained, it is necessary to determine whether the target application has the acquisition code before obtaining the code segment of the target application. The permissions of the segment. The judgment process here is to ensure the smooth acquisition of the code segment of the target application. For example, if it is determined that the current target application has the authority to obtain the code segment, the code segment of the target application is obtained through the current identification information; otherwise, the code segment of the target application cannot be obtained.

在获得当前签名信息与目标应用注册时的初始签名信息后,在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。例如,APP1注册服务时的初始签名信息为B1,若当前签名信息也为B1,则判断目标应用的当前签名信息与目标应用注册时的初始签名信息一致;APP1注册服务时的初始签名信息为B1,若当前签名信息也为B01,则判断目标应用的当前签名信息与目标应用注册时的初始签名信息不一致。需要说明的是,此判断过程是在可信执行环境中执行的,而获取签名信息是在富执行环境进行的。总之,在数据处理过程中,三个层次判断中的最后判断是在可信执行环境中执行的,以充分保证目标应用的数据在处理过程中不会被篡改。After obtaining the current signature information and the initial signature information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered. For example, the initial signature information when APP1 registers for the service is B1, if the current signature information is also B1, it is judged that the current signature information of the target application is consistent with the initial signature information when the target application is registered; the initial signature information when APP1 registers for the service is B1 If the current signature information is also B01, it is determined that the current signature information of the target application is inconsistent with the initial signature information when the target application is registered. It should be noted that this judgment process is performed in a trusted execution environment, and the acquisition of signature information is performed in a rich execution environment. In short, in the process of data processing, the final judgment of the three levels of judgment is executed in a trusted execution environment to fully ensure that the data of the target application will not be tampered with during the processing.

在校验三个层次均符合条件后,即目标应用存在注册的服务,目标应用的当前识别信息与注册的初始识别信息一致,以及,目标应用的当前签名信息与注册的初始签名信息一致是,根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。After verifying that all three levels meet the conditions, that is, the target application has registered services, the current identification information of the target application is consistent with the registered initial identification information, and the current signature information of the target application is consistent with the registered initial signature information, Train a decision model based on feedback data samples to obtain service decision results based on the feedback data of the target application.

具体地,作为训练用于根据目标应用的反馈数据获得服务决策结果的决策模型的实现方式之一,首先,在所述可信执行环境中,将所述反馈数据样本采用在线处理或者批处理的方式学习。之后,获取学习之后的决策模型,以目标应用的服务标识为索引将决策模型存入可信执行环境中。Specifically, as one of the implementation ways of training a decision model for obtaining service decision results based on the feedback data of the target application, first, in the trusted execution environment, the feedback data samples are processed online or batched. Way to learn. After that, the learned decision model is obtained, and the decision model is stored in the trusted execution environment using the service identifier of the target application as an index.

在将决策模型存入可信执行环境后,在富执行环境中,获取目标应用的反馈数据,根据目标应用的反馈数据以及决策模型,获得针对目标应用的反馈数据的服务决策结果。After the decision model is stored in the trusted execution environment, in the rich execution environment, the feedback data of the target application is obtained, and the service decision result for the feedback data of the target application is obtained according to the feedback data of the target application and the decision model.

在获取反馈数据时,可暂时将目标应用的反馈数据存放在可信执行环境中的数据 库。然后判断反馈数据是否采集完毕,若判断结果为是,删除数据库的所有反馈数据。这样及时删除使用完毕的反馈数据,一方面可以节省存储空间,另一方面,可以保证反馈数据的安全。When obtaining feedback data, you can temporarily store the feedback data of the target application in a database in a trusted execution environment. Then it is judged whether the collection of feedback data is completed, and if the judgment result is yes, all the feedback data in the database is deleted. In this way, the used feedback data can be deleted in time, on the one hand, storage space can be saved, and on the other hand, the safety of the feedback data can be ensured.

在对反馈数据处理之前,还需判断反馈数据是否加密,若是,则将反馈数据进行解密;并根据解密后的反馈数据以及决策模型,获得针对目标应用的反馈数据的服务决策结果。Before processing the feedback data, it is necessary to determine whether the feedback data is encrypted, and if so, decrypt the feedback data; and obtain the service decision result of the feedback data for the target application according to the decrypted feedback data and the decision model.

采用本实施例的针对目标应用的反馈数据的处理方法,能够在安全等级较高的可信执行环境中处理数据,保证了目标应用的反馈数据的安全;由于使用本实施例的针对目标应用的反馈数据的处理方法是针对已经注册了目标应用的服务的,因此需要逐级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在传输反馈数据过程中被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。Using the method for processing feedback data for the target application in this embodiment can process data in a trusted execution environment with a higher security level, ensuring the safety of the feedback data of the target application; The processing method of the feedback data is for the service of the registered target application. Therefore, it is necessary to check whether the target application is registered for the service, whether the initial identification information of the target application at the time of registration is consistent with the current identification information of the current target application, and In the trusted execution environment, it is verified whether the initial signature information of the target application at the time of registration is consistent with the current signature information of the current target application, which further prevents the service of the target application from being maliciously tampered with during the transmission of feedback data, thereby further ensuring that users use the target application The security of the service.

上述实施例三是对应用服务方法的反馈数据的处理的说明,继反馈数据的处理之后,本申请还提供一种针对目标应用的在线决策的方法,如图4所示,其为本申请实施例四的针对目标应用服务方法的在线决策方法实施例的流程图。所述方法包括如下步骤。The third embodiment above is the description of the processing of the feedback data of the application service method. Following the processing of the feedback data, this application also provides an online decision-making method for the target application, as shown in Figure 4, which is implemented for this application Example 4 is a flowchart of an embodiment of an online decision method for the target application service method. The method includes the following steps.

步骤S401:在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象,获取所述目标应用的决策请求,判断所述目标应用是否已注册针对所述决策请求的服务;若是,则判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。Step S401: In the rich execution environment, obtain feedback data of the target application, obtain candidate objects according to the feedback data, obtain the decision request of the target application, and determine whether the target application has registered the service for the decision request; If so, it is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

在使用本实施例的方法获得决策结果时,首先是在富执行环境中获取目标应用的反馈数据,并根据反馈数据获得候选对象。When using the method of this embodiment to obtain the decision result, firstly, the feedback data of the target application is obtained in the rich execution environment, and the candidate object is obtained according to the feedback data.

具体地,根据反馈数据获得候选对象可以按照以下描述的方式。Specifically, the candidate object can be obtained according to the feedback data in the manner described below.

首先,获取反馈数据的对应的对象集合。First, obtain the corresponding object set of the feedback data.

之后,获得针对反馈数据的筛选条件,在对象集合筛选出符合筛选条件的对象,将符合筛选条件的对象作为候选对象。After that, the filtering conditions for the feedback data are obtained, the objects that meet the filtering conditions are screened in the object collection, and the objects that meet the filtering conditions are used as candidates.

由于本实施例的方法是用于获得决策结果的方法,在获得反馈数据的同时,也同时获得触发该方法的针对目标应用的决策请求。Since the method in this embodiment is a method for obtaining a decision result, while obtaining feedback data, a decision request for a target application that triggers the method is also obtained at the same time.

当然,在获取反馈数据之前,同样首先对目标应用的服务进行服务注册的判断,判断过程同样是为了保证用户数据的安全,本实施例的判断也分为三个层次,三个层次的判断同实施例三中的判断。Of course, before obtaining the feedback data, the service registration judgment is also performed on the service of the target application. The judgment process is also to ensure the security of user data. The judgment in this embodiment is also divided into three levels, and the three levels of judgment are the same. The judgment in the third embodiment.

前两个层次的判断分别是,判断所述目标应用是否已注册针对所述决策请求的服务;若是,则判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。具体判断的描述方式已在实施例三中详细描述,此处不再赘述,详细参见实施例三对此部分的描述。The first two levels of judgment are to determine whether the target application has registered the service for the decision request; if so, determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered . The description method of the specific judgment has been described in detail in the third embodiment, and will not be repeated here. For details, refer to the description of this part in the third embodiment.

步骤S402:若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,若是,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果。Step S402: If the current identification information of the target application is consistent with the initial identification information when the target application is registered, determine in a trusted execution environment that the current signature information of the target application is consistent with the initial identification information when the target application is registered. Whether the signature information is consistent, if so, obtain a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and obtain a decision result according to the candidate object and the decision model.

同样地,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,同样的,此部分的详细描述参见实施例三对应的此部分的描述,此处不再赘述。Similarly, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered. For the detailed description of this part, please refer to the description of this part corresponding to the third embodiment, which will not be repeated here.

在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息一致后,根据目标应用的决策请求以及之前获取的候选对象获取用于根据候选对象获得决策结果的决策模型。具体获取决策模型的方式可以按照下述描述的方式。After judging that the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, the decision model used to obtain the decision result according to the candidate object is obtained according to the decision request of the target application and the previously obtained candidate objects. The specific method of obtaining the decision model can be as described below.

首先,获取决策请求中包含的服务标识。在步骤S401中获取的决策请求中包括目标应用已注册服务的服务标识。First, obtain the service identifier contained in the decision request. The decision request obtained in step S401 includes the service identifier of the registered service of the target application.

获取服务标识之后,以服务标识为索引获得反馈数据处理预存的决策模型,将决策模型作为用于根据候选对象获得决策结果的决策模型。由于在实施例三的决策模型训练之后,已将获得的决策模型以服务标识为索引存入了可信执行环境,因此在决策过程中,只需以服务标识为索引,在可信执行环境获得反馈数据处理预存的决策模型即可。After obtaining the service identifier, the service identifier is used as an index to obtain a pre-stored decision model for feedback data processing, and the decision model is used as a decision model for obtaining decision results according to the candidate object. After the decision model training in the third embodiment, the obtained decision model has been stored in the trusted execution environment using the service identifier as an index. Therefore, in the decision-making process, only the service identifier is used as the index to obtain it in the trusted execution environment. Feedback data processing pre-stored decision model can be.

获得决策模型之后,根据候选对象和决策模型,获得决策结果。其中,获得的决策结果包括根据决策模型对候选对象的每一个元素打分,以及根据打分对每一个元素排序,并将对每一个元素的打分以及排序结果作为决策结果。After the decision model is obtained, the decision result is obtained according to the candidate object and the decision model. Among them, the obtained decision result includes scoring each element of the candidate object according to the decision model, and sorting each element according to the scoring, and taking the scoring and sorting result of each element as the decision result.

采用本实施例的在线决策的方法,同样能够在安全等级较高的可信执行环境中进行决策,由于使用本实施例的在线决策是针对已经注册了目标应用的服务的,因此需要逐 级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在决策过程中被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。Using the online decision-making method of this embodiment, it is also possible to make decisions in a trusted execution environment with a higher security level. Since the online decision-making using this embodiment is for services that have registered target applications, it needs to be calibrated level by level. Verify whether the target application is registered for the service, whether the initial identification information of the target application at the time of registration is consistent with the current identification information of the current target application, and verify that the initial signature information of the target application at the time of registration and the current target application’s Whether the current signature information is consistent or not can further prevent the service of the target application from being maliciously tampered with during the decision-making process, thereby further ensuring the safety of users using the service of the target application.

对应于实施例一的服务注册,同时为了进一步确保本申请的应用服务的安全,本申请还提供一种应用的服务注销方法,如图5所示,其为本申请实施例五的应用服务的注销方法实施例的流程图。所述方法包括如下步骤。Corresponding to the service registration of Embodiment 1, and in order to further ensure the security of the application service of this application, this application also provides an application service deregistration method, as shown in FIG. 5, which is the application service of the fifth embodiment of this application. A flowchart of an embodiment of the logout method. The method includes the following steps.

步骤S501:在富执行环境中,获取目标应用的服务注销请求,根据服务注销请求判断目标应用是否存在已注册的服务,若存在,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S501: In the rich execution environment, obtain the service deregistration request of the target application, determine whether the target application has a registered service according to the service deregistration request, and if so, determine the current identification information of the target application and the initial identification of the target application during registration Whether the information is consistent.

在本实施例中,采用应用的服务注销方法,首先要获取目标应用的服务注销请求,根据注销请求进行后续的操作。In this embodiment, the application service deregistration method is adopted. First, the service deregistration request of the target application is obtained, and subsequent operations are performed according to the deregistration request.

同实施例三相似,在采用本实施例的注销方法时,同样要进行三个层次的判断,以下对三个层次的判断简要说明,具体详细的描述部分参见实施例三的相关描述部分。Similar to the third embodiment, when the log-off method of this embodiment is adopted, three levels of judgment are also required. The three levels of judgment are briefly described below. For the detailed description, please refer to the relevant description of the third embodiment.

第一层次的判断,判断目标应用中是否具有已注册的服务。The first level of judgment is to judge whether there are registered services in the target application.

作为判断目标应用中是否具有已注册的服务的方式之一,可以是先获得目标应用的所有服务,然后依次判断目标的应用的所有服务是否具有服务标识。若存在,则进入第二层次的判断,即判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。As one of the ways to determine whether the target application has registered services, it may be to obtain all the services of the target application first, and then sequentially determine whether all the services of the target application have service identifiers. If it exists, it enters the second level of judgment, that is, it is judged whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

第二层次的判断,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。在第一层次判断目标应用符合条件时,进入第二层次的判断。The second level of judgment is to judge whether the current identification information of the target application is consistent with the initial identification information when the target application is registered. When it is judged that the target application meets the conditions at the first level, it enters the second level of judgment.

具体地,上述判断判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致的其中一种方式可以是,首先,在高于目标应用本身的权限层获取目标应用的识别信息,并将识别信息作为目标应用的当前识别信息;之后,获取目标应用注册时的初始识别信息;在获得初始识别信息与当前识别消息后,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Specifically, one of the methods for judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered may be: first, obtaining the identification information of the target application at a higher authority level than the target application itself, and Use the identification information as the current identification information of the target application; then, obtain the initial identification information when the target application is registered; after obtaining the initial identification information and the current identification message, determine the current identification information of the target application and the initial identification information when the target application is registered Is it consistent?

步骤S502:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则删除针对目标应用的反馈数据与决策模型。Step S502: If the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered, and if so, then Delete the feedback data and decision model for the target application.

在步骤S501中,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则进入第三层次的判断,即判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。In step S501, if it is judged that the current identification information of the target application is consistent with the initial identification information when the target application is registered, then the third level of judgment is entered, that is, whether the current signature information of the target application is determined to be the same as the initial signature information of the target application when the target application is registered. Consistent.

第三层次的判断,判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。The third level of judgment is to judge whether the current signature information of the target application is consistent with the initial signature information when the target application is registered.

在第二层次判断目标应用符合条件时,进入第三层次的判断。When the target application meets the conditions at the second level, it enters the third level of judgment.

同样地,在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始签名信息,因此经过第二层次的判断符合条件时,便可在富执行环境中提取当前目标应用注册时的初始签名信息。Similarly, as mentioned in the second embodiment, a successfully registered service has initial signature information in the rich execution environment during the registration process. Therefore, after the second level of judgment meets the conditions, the current signature information can be extracted in the rich execution environment. The initial signature information when the target application is registered.

当在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致时,必然也可以根据当前的目标应用的当前识别信息在富执行环境中确定当前的目标应用的当前签名信息。类似于实施例二获取初始签名信息的方式,获取当前目标应用的当前签名信息可以按照同样的方式,即根据目标应用的当前识别信息获取目标应用的当前签名信息。When judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, the current identification information of the target application can be used to determine the current target application in the rich execution environment. Current signature information. Similar to the method of obtaining the initial signature information in the second embodiment, the current signature information of the current target application can be obtained in the same manner, that is, the current signature information of the target application is obtained according to the current identification information of the target application.

作为根据目标应用的当前识别信息获取目标应用的当前签名信息的一种方式,首先根据当前识别信息获取目标应用的代码段以及代码段位置,之后根据代码段以及所述代码段位置获得目标应用的当前签名信息。As a way to obtain the current signature information of the target application according to the current identification information of the target application, first obtain the code segment and the code segment location of the target application according to the current identification information, and then obtain the target application's signature information according to the code segment and the code segment location. Current signature information.

具体地,作为根据代码段以及代码段位置获得目标应用的当前签名信息的方式之一,可以是将代码段与代码段位置拼接,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的当前签名信息。Specifically, as one of the ways to obtain the current signature information of the target application according to the code segment and the position of the code segment, the code segment can be spliced with the position of the code segment, the signature information of the code segment is calculated by the HASH algorithm, and the signature information of the code segment As the current signature information of the target application.

在本实施例中,当前签名信息是用来保证目标应用的服务在注销过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在注销过程中需要获得目标应用的当前签名信息。在此处,当前签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the current signature information is used to ensure the data security of the service of the target application during the logout process, and also to ensure the privacy of the user when using the target application. Therefore, the current signature information of the target application needs to be obtained during the logout process. . Here, the current signature information further ensures the security of the service of the target application using the system of this application.

为获取目标应用的代码段,在根据当前识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据当前识别信息确定目标应用。在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码 段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再赘述。In order to obtain the code segment of the target application, when obtaining the code segment and the code segment location of the target application according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. After determining the target application of the code segment to be obtained, at least one code segment is selected from the code of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be a program of randomly acquiring the target application. While obtaining a section of the target application program, you can also obtain the location of the code section. Since the technology of randomly obtaining application code segments is relatively mature, I won't go into details here.

在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段。In this embodiment, before obtaining the code segment of the target application, it is necessary to determine whether the target application has the permission to obtain the code segment; if it is determined that the target application has the permission to obtain the code segment, the code of the target application is obtained through the current identification information. segment.

具体地,采用本实施例的方法对目标应用的服务进行注册之后的注销时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断当前的目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, when using the method of this embodiment to log out after registering the service of the target application, in order to ensure that the code segment of the target application can be obtained, before obtaining the code segment of the target application, it is necessary to determine whether the target application has an acquisition code segment. permission. The judgment process here is to ensure the smooth acquisition of the code segment of the target application. For example, if it is determined that the current target application has the authority to obtain the code segment, the code segment of the target application is obtained through the current identification information; otherwise, the code segment of the target application cannot be obtained.

在获得当前签名信息与目标应用注册时的初始签名信息后,在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。需要说明的是,此判断过程是在可信执行环境中执行的,而获取签名信息是在富执行环境进行的。总之,在注销过程中,三个层次判断中的最后判断是在可信执行环境中执行的,以充分保证目标应用的数据在注销过程中不会被篡改。After obtaining the current signature information and the initial signature information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered. It should be noted that this judgment process is performed in a trusted execution environment, and the acquisition of signature information is performed in a rich execution environment. In short, during the logout process, the final judgment among the three levels of judgment is executed in a trusted execution environment to fully ensure that the data of the target application will not be tampered with during the logout process.

在校验三个层次均符合条件后,即目标应用存在注册的服务,目标应用的当前识别信息与注册的初始识别信息一致,以及,目标应用的当前签名信息与注册的初始签名信息一致时,则删除针对目标应用的反馈数据与决策模型。After verifying that all three levels meet the conditions, that is, when the target application has registered services, the current identification information of the target application is consistent with the registered initial identification information, and when the current signature information of the target application is consistent with the registered initial signature information, Then delete the feedback data and decision model for the target application.

采用本实施例的应用服务的注销方法,同样能够在安全等级较高的可信执行环境中进行注销,由于使用本实施例的应用服务的注销方法是针对已经注册了目标应用的服务的,因此需要逐级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在注销过程中或在注销之前被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。Using the application service deregistration method of this embodiment, it is also possible to perform deregistration in a trusted execution environment with a higher security level. Because the application service deregistration method using this embodiment is for services that have registered the target application, It is necessary to verify step by step whether the target application is registered for the service, whether the initial identification information of the target application at the time of registration is consistent with the current identification information of the current target application, and verify the initial signature information of the target application at the time of registration in a trusted execution environment and Whether the current signature information of the current target application is consistent, to further prevent the service of the target application from being maliciously tampered with during the logout process or before the logout, thereby further ensuring the safety of the user using the service of the target application.

总之,在上述的实施例二至实施例五中,将本申请的应用服务分为注册过程、数据处理过程、在线决策过程以及注销过程,并对注册后的每个阶段都进行验证,从而保证用户使用目标应用的服务的安全。In short, in the above-mentioned Embodiment 2 to Embodiment 5, the application service of this application is divided into the registration process, the data processing process, the online decision process and the cancellation process, and each stage after registration is verified to ensure The safety of users using the services of the target application.

与上述的应用服务方法相对应,本申请还提供一种应用服务装置。请参考图6,其为本申请实施例六的一种应用服务装置的实施例的示意图,由于装置实施例基本相似于 方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可,下述描述的装置实施例仅仅是示意性的。本申请提供的一种应用服务装置包括如下部分。Corresponding to the above application service method, this application also provides an application service device. Please refer to FIG. 6, which is a schematic diagram of an embodiment of an application service device according to the sixth embodiment of this application. Since the device embodiment is basically similar to the method embodiment, the description is relatively simple, and the related parts are referred to the method embodiment. The description is sufficient, and the device embodiments described below are only illustrative. An application service device provided by this application includes the following parts.

本申请提供一种应用服务装置,包括:This application provides an application service device, including:

服务判断单元601,用于在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judging unit 601 is used to judge whether the target application has a registered service in the rich execution environment, if so, obtain the service request of the target application, and obtain the current identification information of the target application according to the service request , Obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is If the initial identification information when the target application is registered is consistent, it is determined in a trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered;

服务处理单元602,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit 602 is configured to perform processing according to the service request of the target application if the judgment result is yes.

可选的,还包括:Optional, also includes:

初始签名信息获取单元,用于在富执行环境中,获取目标应用的服务注册请求,根据所述服务注册请求获取所述目标应用的初始识别信息,通过所述初始识别信息获取所述目标应用的初始签名信息。The initial signature information obtaining unit is used to obtain the service registration request of the target application in the rich execution environment, obtain the initial identification information of the target application according to the service registration request, and obtain the information of the target application through the initial identification information Initial signature information.

服务标识生成单元,用于在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识。The service identification generating unit is configured to generate a service identification that requires a registered service in a trusted execution environment based on the initial signature information and the initial identification information.

标识返回单元,用于将所述服务标识返回至所述目标应用。The identifier returning unit is used to return the service identifier to the target application.

可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information obtaining unit is specifically configured to:

在高于所述目标应用的权限层获取所述目标应用的识别信息;Acquiring the identification information of the target application at a higher authority level than the target application;

将所述识别信息作为所述目标应用的初始识别信息。The identification information is used as the initial identification information of the target application.

可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information obtaining unit is specifically configured to:

根据所述初始识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and code segment location of the target application according to the initial identification information;

根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息。Obtain the initial signature information of the target application according to the code segment and the location of the code segment.

可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information obtaining unit is specifically configured to:

将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information;

根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information;

将所述代码段的签名信息作为所述目标应用的初始签名信息。Use the signature information of the code segment as the initial signature information of the target application.

可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information obtaining unit is specifically configured to:

根据所述初始识别信息确定所述目标应用;Determining the target application according to the initial identification information;

从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application.

可选的,所述初始签名信息获取单元还用于:Optionally, the initial signature information obtaining unit is further configured to:

判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment;

所述通过所述初始识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the initial identification information includes:

若确定针对所述目标应用具有获取代码段的权限,则通过所述初始识别信息获取所述目标应用的代码段。If it is determined that the target application has the authority to acquire the code segment, the code segment of the target application is acquired through the initial identification information.

可选的,所述服务标识生成单元,具体用于:Optionally, the service identification generating unit is specifically configured to:

将所述初始签名信息以及所述初始识别信息存储至所述可信执行环境的数据库中;Storing the initial signature information and the initial identification information in the database of the trusted execution environment;

在所述可信执行环境中,生成所述初始签名信息与所述初始识别信息对应的需要注册服务的服务标识。In the trusted execution environment, a service identifier corresponding to the initial signature information and the initial identification information that requires a registered service is generated.

可选的,所述标识返回单元,具体用于:Optionally, the identification return unit is specifically used for:

在所述富执行环境中,以所述服务标识为索引,储存已注册的所述目标应用的所述初始识别信息与所述初始签名信息;将所述储存在所述富执行环境中的所述服务标识返回至所述目标应用。In the rich execution environment, use the service identifier as an index to store the initial identification information and the initial signature information of the registered target application; store all the information stored in the rich execution environment The service identifier is returned to the target application.

可选的,所述注册服务请求包括以下至少一种信息:Optionally, the registration service request includes at least one of the following information:

所述目标应用中需要注册的服务的名称信息;The name information of the service that needs to be registered in the target application;

针对所述需要注册的服务是否开启数据加密的信息;Whether to enable data encryption for the service that needs to be registered;

针对所述需要注册的服务的数据加密算法信息;Data encryption algorithm information for the service that needs to be registered;

针对所述需要注册的服务的数据解密公钥信息。Decrypt the public key information for the data of the service that needs to be registered.

可选的,所述目标应用的初始识别信息至少包括所述目标应用的唯一识别符,所述唯一识别符为所述目标应用在内核权限层的唯一标识。Optionally, the initial identification information of the target application includes at least a unique identifier of the target application, and the unique identifier is a unique identifier of the target application at the kernel authority layer.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

获得所述目标应用的所有服务的信息;Obtain information about all services of the target application;

判断所述目标的应用的所有服务是否具有服务标识。Determine whether all services of the target application have service identifiers.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

在高于所述目标应用的权限层获取所述目标应用的识别信息,将所述识别信息作为所述目标应用的当前识别信息;Acquiring the identification information of the target application at a higher authority level than the target application, and using the identification information as the current identification information of the target application;

获取所述目标应用注册时的初始识别信息;Acquiring initial identification information when the target application is registered;

判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。It is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息;Acquiring the current signature information of the target application according to the current identification information of the target application;

获取所述目标应用注册时的初始签名信息;Acquiring initial signature information when the target application is registered;

判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致。It is determined whether the current signature information of the target application is consistent with the initial signature information when the target application is registered.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

根据所述当前识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and the code segment location of the target application according to the current identification information;

根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息。Obtain the current signature information of the target application according to the code segment and the location of the code segment.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information;

根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information;

将所述代码段的签名信息作为所述目标应用的当前签名信息。Use the signature information of the code segment as the current signature information of the target application.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

根据所述当前识别信息确定所述目标应用;Determining the target application according to the current identification information;

从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment;

若确定针对所述目标应用具有获取代码段的权限,则通过所述当前识别信息获取所述目标应用的代码段。If it is determined that the target application has the authority to acquire the code segment, the code segment of the target application is acquired through the current identification information.

可选的,服务判断单元,具体用于:在富执行环境中,获取目标应用的反馈数据样本,将所述获取目标应用的反馈数据样本作为所述获取的目标应用的服务请求;Optionally, the service judgment unit is specifically configured to: in a rich execution environment, obtain a feedback data sample of the target application, and use the obtained feedback data sample of the target application as the obtained service request of the target application;

服务处理单元,具体用于:在可信执行环境中,则根据所述反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型;将所述获得的服务决策结果的决策模型作为处理结果。The service processing unit is specifically configured to: in a trusted execution environment, train a decision model for obtaining service decision results according to the feedback data of the target application based on the feedback data sample; and apply the obtained service decision result to the decision model As a result of processing.

可选的,还包括决策单元,所述决策单元具体用于:Optionally, it further includes a decision-making unit, and the decision-making unit is specifically configured to:

在所述富执行环境中,获取所述目标应用的反馈数据;In the rich execution environment, obtaining feedback data of the target application;

在所述可信执行环境中,根据所述目标应用的反馈数据以及所述决策模型,获得针 对所述目标应用的反馈数据的服务决策结果。In the trusted execution environment, according to the feedback data of the target application and the decision model, the service decision result for the feedback data of the target application is obtained.

可选的,所述决策单元具体用于:Optionally, the decision-making unit is specifically used for:

在所述可信执行环境中,将所述目标应用的反馈数据采集至数据库;In the trusted execution environment, collecting feedback data of the target application into a database;

判断所述反馈数据是否采集完毕,若判断结果为是,删除所述数据库的所有反馈数据;Determine whether the collection of the feedback data is completed, and if the result of the determination is yes, delete all the feedback data in the database;

根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.

可选的,所述决策单元中还包括解密单元,所述解密单元具体用于:Optionally, the decision-making unit further includes a decryption unit, and the decryption unit is specifically configured to:

判断所述反馈数据是否加密,若是,则将所述反馈数据进行解密;Determine whether the feedback data is encrypted, and if so, decrypt the feedback data;

所述决策单元具体用于具体用于:The decision-making unit is specifically used for:

根据解密后的所述反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the decrypted feedback data and the decision model, a service decision result for the feedback data of the target application is obtained.

可选的,服务判断单元,具体用于:在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象;获取所述目标应用的决策请求;将所述获取所述目标应用的决策请求作为所述获取的目标应用的服务请求;Optionally, the service judgment unit is specifically configured to: in a rich execution environment, obtain feedback data of the target application, obtain candidate objects according to the feedback data; obtain the decision request of the target application; The decision request of the application serves as the acquired service request of the target application;

服务处理单元,具体用于:在可信执行环境中,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果;将所述获得的决策结果作为处理结果。The service processing unit is specifically configured to: in a trusted execution environment, obtain a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and obtain according to the candidate object and the decision model Decision-making result; taking the obtained decision-making result as the processing result.

可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically configured to:

获取所述反馈数据对应的对象集合;Obtaining a set of objects corresponding to the feedback data;

获得针对所述反馈数据的筛选条件,在所述对象集合筛选出符合所述筛选条件的对象,将所述符合所述筛选条件的对象作为候选对象。A filter condition for the feedback data is obtained, objects meeting the filter condition are selected from the object set, and the objects meeting the filter condition are used as candidate objects.

可选的,所述服务处理单元,具体用于:Optionally, the service processing unit is specifically configured to:

获取所述决策请求中包含的服务标识;Acquiring the service identifier included in the decision request;

以所述服务标识为索引获得所述决策模型。Obtain the decision model using the service identifier as an index.

可选的,所述服务处理单元,具体用于:Optionally, the service processing unit is specifically configured to:

根据所述决策模型对所述候选对象的每一个元素进行评分,获得评分结果;Scoring each element of the candidate object according to the decision model to obtain a scoring result;

根据所述评分结果对所述每一个元素进行排序,获得排序结果;Sorting each element according to the scoring result to obtain a sorting result;

将所述评分结果以及排序结果作为决策结果。The scoring result and the ranking result are used as the decision result.

本申请的应用服务方法可应用在终端上,对应地,本申请还提供一种终端,请参考图7,其为本申请实施例七的一种终端的示意图,由于该终端实施例基本相似于方法实施例一至实施例五,所以描述得比较简单,相关之处参见实施例一至实施例五的部分说明即可,下述描述的方法实施例仅仅是示意性的。The application service method of this application can be applied to a terminal. Correspondingly, this application also provides a terminal. Please refer to FIG. 7, which is a schematic diagram of a terminal according to the seventh embodiment of the application, since the terminal embodiment is basically similar to The method embodiments 1 to 5 are therefore relatively simple to describe. For related parts, please refer to the part of the description of Embodiment 1 to Embodiment 5. The method embodiments described below are only illustrative.

本申请提供的终端包括如下部分。The terminal provided by this application includes the following parts.

服务判断单元701,用于在所述终端中的富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在所述终端中的可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judging unit 701 is configured to judge whether the target application has a registered service in the rich execution environment in the terminal, if so, obtain the service request of the target application, and obtain the service request of the target application according to the service request. Current identification information, obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application If the identification information is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment in the terminal whether the current signature information of the target application is consistent with the initial signature information when the target application is registered;

服务处理单元702,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit 702 is configured to perform processing according to the service request of the target application if the judgment result is yes.

本申请还提供一种用于应用服务的系统,如图8所示,其为本申请实施例八的一种用于应用服务的系统实施例的组件示意图。所述系统包括如下组件:反馈数据采集器,服务管理器,端侧决策TA,反馈学习器,决策器,数据与模型管理器。The present application also provides a system for application services, as shown in FIG. 8, which is a schematic diagram of components of an embodiment of a system for application services in the eighth embodiment of this application. The system includes the following components: feedback data collector, service manager, end-side decision TA, feedback learner, decision maker, data and model manager.

其中反馈数据采集器与服务管理器位于该系统的富执行环境中。反馈数据采集器用于根据在高于目标应用的权限层的识别信息采集目标应用的反馈数据,服务管理器用于根据在高于目标应用的权限层的识别信息将服务的请求类型传入到可信执行环境。The feedback data collector and service manager are located in the rich execution environment of the system. The feedback data collector is used to collect the feedback data of the target application according to the identification information at the permission layer higher than the target application, and the service manager is used to transmit the service request type to the trusted application according to the identification information at the permission layer higher than the target application Execution environment.

端侧决策TA,反馈学习器,决策器以及数据与模型管理器均位于可信执行环境中。端侧决策TA用于根据服务的请求类型调用反馈学习器,决策器,数据与模型管理器,并对服务的请求类型处理。反馈学习器用于根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。决策器用于根据反馈数据与决策模型,获得针对目标应用的反馈数据的服务决策结果。所述数据与模型管理器用于存储反馈数据与决策模型。The end-side decision TA, feedback learner, decision maker, and data and model manager are all located in a trusted execution environment. The end-side decision TA is used to call the feedback learner, decision maker, data and model manager according to the request type of the service, and process the request type of the service. The feedback learner is used to train a decision model based on feedback data samples to obtain service decision results based on the feedback data of the target application. The decision maker is used to obtain the service decision result of the feedback data for the target application according to the feedback data and the decision model. The data and model manager is used to store feedback data and decision models.

本申请的系统,将各个组件分配在不同的执行环境,保证了采用本系统的应用在传输数据过程中的安全,以防目标应用的服务在传输数据过程中被篡改。In the system of this application, each component is allocated in different execution environments, which ensures the safety of applications using this system during data transmission, so as to prevent the services of the target application from being tampered with during data transmission.

本申请虽然以较佳实施例公开如上,但其并不是用来限定本申请,任何本领域技术 人员在不脱离本申请的精神和范围内,都可以做出可能的变动和修改,因此本申请的保护范围应当以本申请权利要求所界定的范围为准。Although this application is disclosed as above in preferred embodiments, it is not intended to limit the application. Any person skilled in the art can make possible changes and modifications without departing from the spirit and scope of the application. Therefore, this application The scope of protection shall be subject to the scope defined by the claims of this application.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。In a typical configuration, the computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory. The memory may include non-permanent memory in computer readable media, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.

1、计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非暂存电脑可读存储媒体(non-transitory computer readable storage media),如调制的数据信号和载波。1. Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology. The information can be computer-readable instructions, data structures, program modules, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include non-transitory computer readable storage media, such as modulated data signals and carrier waves.

2、本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。2. Those skilled in the art should understand that the embodiments of the present application can be provided as methods, systems or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

Claims (28)

一种应用服务方法,其特征在于,包括:An application service method, characterized by comprising: 在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;In the rich execution environment, it is determined whether the target application has a registered service, if so, the service request of the target application is obtained, the current identification information of the target application is obtained according to the service request, and the current identification information is used to obtain all the services. The current signature information of the target application; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; 若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,若是,则根据所述目标应用的服务请求进行处理。If the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application and the initial signature information when the target application is registered If they are consistent, the processing is performed according to the service request of the target application. 根据权利要求1所述的应用服务方法,其特征在于,还包括:The application service method according to claim 1, further comprising: 在富执行环境中,获取目标应用的服务注册请求,根据所述服务注册请求获取所述目标应用的初始识别信息,通过所述初始识别信息获取所述目标应用的初始签名信息;In a rich execution environment, acquiring a service registration request of a target application, acquiring initial identification information of the target application according to the service registration request, and acquiring initial signature information of the target application through the initial identification information; 在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,将所述服务标识返回至所述目标应用。In a trusted execution environment, based on the initial signature information and the initial identification information, a service identification that requires a service to be registered is generated, and the service identification is returned to the target application. 根据权利要求2所述的应用服务方法,其特征在于,所述根据所述服务注册请求,获取所述目标应用的初始识别信息,包括:The application service method according to claim 2, wherein the obtaining the initial identification information of the target application according to the service registration request comprises: 在高于所述目标应用的权限层获取所述目标应用的识别信息;Acquiring the identification information of the target application at a higher authority level than the target application; 将所述识别信息作为所述目标应用的初始识别信息。The identification information is used as the initial identification information of the target application. 根据权利要求2所述的应用服务方法,其特征在于,所述通过所述初始识别信息获取所述目标应用的初始签名信息,包括:The application service method according to claim 2, wherein the obtaining the initial signature information of the target application through the initial identification information comprises: 根据所述初始识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and code segment location of the target application according to the initial identification information; 根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息。Obtain the initial signature information of the target application according to the code segment and the location of the code segment. 根据权利要求4所述的应用服务方法,其特征在于,所述根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息,包括:The application service method according to claim 4, wherein the obtaining the initial signature information of the target application according to the code segment and the location of the code segment comprises: 将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information; 根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information; 将所述代码段的签名信息作为所述目标应用的初始签名信息。Use the signature information of the code segment as the initial signature information of the target application. 根据权利要求4所述的应用服务方法,其特征在于,所述根据所述初始识别信息获取所述目标应用的代码段以及代码段位置,包括:The application service method according to claim 4, wherein the obtaining the code segment and the code segment location of the target application according to the initial identification information comprises: 根据所述初始识别信息确定所述目标应用;Determining the target application according to the initial identification information; 从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application. 根据权利要求4所述的应用服务方法,其特征在于,还包括:The application service method according to claim 4, further comprising: 判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment; 所述通过所述初始识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the initial identification information includes: 若确定针对所述目标应用具有获取代码段的权限,则通过所述初始识别信息获取所述目标应用的代码段。If it is determined that the target application has the authority to acquire the code segment, the code segment of the target application is acquired through the initial identification information. 根据权利要求2所述的应用服务方法,其特征在于,所述在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,包括:The application service method according to claim 2, characterized in that, in a trusted execution environment, according to the initial signature information and the initial identification information, generating a service identification that requires a registered service comprises: 将所述初始签名信息以及所述初始识别信息存储至所述可信执行环境的数据库中;Storing the initial signature information and the initial identification information in the database of the trusted execution environment; 在所述可信执行环境中,生成所述初始签名信息与所述初始识别信息对应的需要注册服务的服务标识。In the trusted execution environment, a service identifier corresponding to the initial signature information and the initial identification information that requires a registered service is generated. 根据权利要求2所述的应用服务方法,其特征在于,所述将所述服务标识返回至所述目标应用,包括:The application service method according to claim 2, wherein the returning the service identifier to the target application comprises: 在所述富执行环境中,以所述服务标识为索引,储存已注册的所述目标应用的所述初始识别信息与所述初始签名信息;将所述储存在所述富执行环境中的所述服务标识返回至所述目标应用。In the rich execution environment, use the service identifier as an index to store the initial identification information and the initial signature information of the registered target application; store all the information stored in the rich execution environment The service identifier is returned to the target application. 根据权利要求2所述的应用服务方法,其特征在于,所述服务注册请求包括以下至少一种信息:The application service method according to claim 2, wherein the service registration request includes at least one of the following information: 所述目标应用中需要注册的服务的名称信息;The name information of the service that needs to be registered in the target application; 针对所述需要注册的服务是否开启数据加密的信息;Whether to enable data encryption for the service that needs to be registered; 针对所述需要注册的服务的数据加密算法信息;Data encryption algorithm information for the service that needs to be registered; 针对所述需要注册的服务的数据解密公钥信息。Decrypt the public key information for the data of the service that needs to be registered. 根据权利要求2或3所述的应用服务方法,其特征在于,所述目标应用的初始识别信息至少包括所述目标应用的唯一识别符,所述唯一识别符为所述目标应用在内核权限层的唯一标识。The application service method according to claim 2 or 3, wherein the initial identification information of the target application at least includes a unique identifier of the target application, and the unique identifier is that the target application is in the kernel authority layer The unique identifier. 根据权利要求2所述的应用服务方法,其特征在于,所述判断所述目标应用是否存在已注册的服务,包括:The application service method according to claim 2, wherein the judging whether the target application has a registered service comprises: 获得所述目标应用的所有服务的信息;Obtain information about all services of the target application; 判断所述目标的应用的所有服务是否具有服务标识。Determine whether all services of the target application have service identifiers. 根据权利要求1所述的应用服务方法,其特征在于,所述判断所述目标应用的 当前识别信息与所述目标应用注册时的初始识别信息是否一致,包括:The application service method according to claim 1, wherein the judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered comprises: 在高于所述目标应用的权限层获取所述目标应用的识别信息,将所述识别信息作为所述目标应用的当前识别信息;Acquiring the identification information of the target application at a higher authority level than the target application, and using the identification information as the current identification information of the target application; 获取所述目标应用注册时的初始识别信息;Acquiring initial identification information when the target application is registered; 判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。It is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered. 根据权利要求13所述的应用服务方法,其特征在于,所述在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,包括:The application service method according to claim 13, wherein the determining whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment comprises: 根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息;Acquiring the current signature information of the target application according to the current identification information of the target application; 获取所述目标应用注册时的初始签名信息;Acquiring initial signature information when the target application is registered; 判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致。It is determined whether the current signature information of the target application is consistent with the initial signature information when the target application is registered. 根据权利要求14所述的应用服务方法,其特征在于,所述根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息,包括:The application service method according to claim 14, wherein the obtaining the current signature information of the target application according to the current identification information of the target application comprises: 根据所述当前识别信息获取所述目标应用的代码段以及代码段位置;Acquiring the code segment and the code segment location of the target application according to the current identification information; 根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息。Obtain the current signature information of the target application according to the code segment and the location of the code segment. 根据权利要求15所述的应用服务方法,其特征在于,所述根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息,包括:The application service method according to claim 15, wherein the obtaining the current signature information of the target application according to the code segment and the location of the code segment comprises: 将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment with the position of the code segment to obtain spliced code information; 根据所述拼接后的代码信息获得所述代码段的签名信息;Obtaining the signature information of the code segment according to the spliced code information; 将所述代码段的签名信息作为所述目标应用的当前签名信息。Use the signature information of the code segment as the current signature information of the target application. 根据权利要求15所述的应用服务方法,其特征在于,所述根据所述当前识别信息获取所述目标应用的代码段以及代码段位置,包括:The application service method according to claim 15, wherein the obtaining the code segment and the code segment location of the target application according to the current identification information comprises: 根据所述当前识别信息确定所述目标应用;Determining the target application according to the current identification information; 从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the codes of the target application as the code segment of the target application. 根据权利要求15所述的应用服务方法,其特征在于,还包括:The application service method of claim 15, further comprising: 判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the authority to obtain the code segment; 所述通过所述当前识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the current identification information includes: 若确定针对所述目标应用具有获取代码段的权限,则通过所述当前识别信息获取所 述目标应用的代码段。If it is determined that the target application has the authority to obtain the code segment, the code segment of the target application is obtained through the current identification information. 根据权利要求1所述的应用服务方法,其特征在于,所述获取目标应用的服务请求,包括:The application service method according to claim 1, wherein the obtaining the service request of the target application comprises: 在富执行环境中,获取目标应用的反馈数据样本;将所述获取目标应用的反馈数据样本作为所述获取的目标应用的服务请求;In a rich execution environment, obtain feedback data samples of the target application; use the obtained feedback data samples of the target application as the service request of the obtained target application; 所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型;将所述获得的服务决策结果的决策模型作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, training a decision model for obtaining service decision results according to the feedback data of the target application according to the feedback data sample; The decision model of the service decision result is taken as the processing result. 根据权利要求19所述的应用服务方法,其特征在于,还包括:The application service method according to claim 19, further comprising: 在所述富执行环境中,获取所述目标应用的反馈数据;In the rich execution environment, obtaining feedback data of the target application; 在所述可信执行环境中,根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。In the trusted execution environment, a service decision result for the feedback data of the target application is obtained according to the feedback data of the target application and the decision model. 根据权利要求20所述的应用服务方法,其特征在于,还包括:The application service method of claim 20, further comprising: 在所述可信执行环境中,将所述目标应用的反馈数据存储至数据库;In the trusted execution environment, storing the feedback data of the target application in a database; 判断所述反馈数据是否采集完毕,若判断结果为是,删除所述数据库的所有反馈数据;Determine whether the collection of the feedback data is completed, and if the result of the determination is yes, delete all the feedback data in the database; 根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained. 根据权利要求21所述的应用服务方法,其特征在于,还包括:The application service method according to claim 21, further comprising: 判断所述反馈数据是否加密,若是,则将所述反馈数据进行解密;Determine whether the feedback data is encrypted, and if so, decrypt the feedback data; 所述根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果,包括:The obtaining a service decision result for the feedback data of the target application according to the feedback data of the target application and the decision model includes: 根据解密后的所述反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the decrypted feedback data and the decision model, a service decision result for the feedback data of the target application is obtained. 根据权利要求1所述的应用服务方法,其特征在于,所述获取目标应用的服务请求,包括:The application service method according to claim 1, wherein the obtaining the service request of the target application comprises: 在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象,获取所述目标应用的决策请求;将所述获取所述目标应用的决策请求作为所述获取的目标应用的服务请求;In a rich execution environment, the feedback data of the target application is obtained, candidate objects are obtained according to the feedback data, and the decision request of the target application is obtained; the decision request of obtaining the target application is taken as the obtained target application Request for service; 所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述 目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果;将所述获得的决策结果作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, according to the decision request of the target application, obtaining a decision model for obtaining a decision result according to the candidate object, and according to the candidate object And the decision model to obtain a decision result; and use the obtained decision result as a processing result. 根据权利要求23所述的应用服务方法,其特征在于,所述根据所述反馈数据获得候选对象,包括:The application service method according to claim 23, wherein the obtaining candidate objects according to the feedback data comprises: 获取所述反馈数据对应的对象集合;Obtaining a set of objects corresponding to the feedback data; 获得针对所述反馈数据的筛选条件,在所述对象集合筛选出符合所述筛选条件的对象,将所述符合所述筛选条件的对象作为候选对象。A filter condition for the feedback data is obtained, objects meeting the filter condition are selected from the object set, and the objects meeting the filter condition are used as candidate objects. 根据权利要求23所述的应用服务方法,其特征在于,所述根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,包括:The application service method according to claim 23, wherein the obtaining a decision model used to obtain a decision result according to the candidate object according to a decision request of the target application comprises: 获取所述决策请求中包含的服务标识;Acquiring the service identifier included in the decision request; 以所述服务标识为索引获得所述决策模型。Obtain the decision model using the service identifier as an index. 根据权利要求23所述的应用服务方法,其特征在于,所述根据所述候选对象和所述决策模型,获得决策结果,包括:The application service method according to claim 23, wherein the obtaining a decision result according to the candidate object and the decision model comprises: 根据所述决策模型对所述候选对象的每一个元素进行评分,获得评分结果;Scoring each element of the candidate object according to the decision model to obtain a scoring result; 根据所述评分结果对所述每一个元素进行排序,获得排序结果;Sorting each element according to the scoring result to obtain a sorting result; 将所述评分结果以及排序结果作为决策结果。The scoring result and the ranking result are used as the decision result. 一种应用服务装置,其特征在于,包括:An application service device, characterized by comprising: 服务判断单元,用于在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judging unit is used to judge whether the target application has a registered service in the rich execution environment, if so, obtain the service request of the target application, obtain the current identification information of the target application according to the service request, and pass all The current identification information acquires the current signature information of the target application; it is determined whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the target application When the initial identification information when the application is registered is consistent, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered; 服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is used for processing according to the service request of the target application if the judgment result is yes. 一种终端,其特征在于,包括:A terminal, characterized in that it comprises: 服务判断单元,用于在所述终端中的富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在所述终端中的可信 执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The service judgment unit is used to judge whether the target application has a registered service in the rich execution environment in the terminal, if so, obtain the service request of the target application, and obtain the current target application according to the service request Identification information, obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification of the target application If the information is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment in the terminal whether the current signature information of the target application is consistent with the initial signature information when the target application is registered; 服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is used for processing according to the service request of the target application if the judgment result is yes.
PCT/CN2020/088644 2019-05-16 2020-05-06 Application service method and device Ceased WO2020228564A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910411135.X 2019-05-16
CN201910411135.XA CN111953637B (en) 2019-05-16 2019-05-16 Application service method and device

Publications (1)

Publication Number Publication Date
WO2020228564A1 true WO2020228564A1 (en) 2020-11-19

Family

ID=73288833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/088644 Ceased WO2020228564A1 (en) 2019-05-16 2020-05-06 Application service method and device

Country Status (2)

Country Link
CN (1) CN111953637B (en)
WO (1) WO2020228564A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113296831A (en) * 2021-06-11 2021-08-24 恒安嘉新(北京)科技股份公司 Application identifier extraction method and device, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023032A (en) * 2014-06-23 2014-09-03 北京握奇智能科技有限公司 Application limited unloading method based on dependable execution environment technology, server and terminal
CN105447387A (en) * 2015-11-05 2016-03-30 工业和信息化部电信研究院 Trusted application detection method and apparatus based on hardware isolation environment
US20170264607A1 (en) * 2015-03-30 2017-09-14 Oleksii Surdu Embedded trusted network security perimeter in computing systems based on ARM processors
US20170302701A1 (en) * 2016-04-14 2017-10-19 Airwatch Llc Integrated application scanning and mobile enterprise computing management system
CN108664772A (en) * 2018-04-27 2018-10-16 北京可信华泰信息技术有限公司 A method of ensureing security of system
CN109150548A (en) * 2015-12-01 2019-01-04 神州融安科技(北京)有限公司 A kind of digital certificate signature, sign test method and system, digital certificate system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105446713B (en) * 2014-08-13 2019-04-26 阿里巴巴集团控股有限公司 Safe storage method and device
CN107544981B (en) * 2016-06-25 2021-06-01 华为技术有限公司 Content recommendation method and device
EP3293656A1 (en) * 2016-09-13 2018-03-14 Gemalto Sa Method for controlling access to a trusted application in a terminal
CN108156175B (en) * 2018-01-22 2021-05-14 中证鹏元资信评估股份有限公司 Method for accessing shared storage information under cloud computing platform
CN108399329B (en) * 2018-01-23 2022-01-21 晶晨半导体(上海)股份有限公司 Method for improving security of trusted application program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023032A (en) * 2014-06-23 2014-09-03 北京握奇智能科技有限公司 Application limited unloading method based on dependable execution environment technology, server and terminal
US20170264607A1 (en) * 2015-03-30 2017-09-14 Oleksii Surdu Embedded trusted network security perimeter in computing systems based on ARM processors
CN105447387A (en) * 2015-11-05 2016-03-30 工业和信息化部电信研究院 Trusted application detection method and apparatus based on hardware isolation environment
CN109150548A (en) * 2015-12-01 2019-01-04 神州融安科技(北京)有限公司 A kind of digital certificate signature, sign test method and system, digital certificate system
US20170302701A1 (en) * 2016-04-14 2017-10-19 Airwatch Llc Integrated application scanning and mobile enterprise computing management system
CN108664772A (en) * 2018-04-27 2018-10-16 北京可信华泰信息技术有限公司 A method of ensureing security of system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113296831A (en) * 2021-06-11 2021-08-24 恒安嘉新(北京)科技股份公司 Application identifier extraction method and device, computer equipment and storage medium
CN113296831B (en) * 2021-06-11 2023-08-25 恒安嘉新(北京)科技股份公司 Application identifier extraction method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN111953637A (en) 2020-11-17
CN111953637B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
US20240119129A1 (en) Supervised learning system for identity compromise risk computation
US11303642B2 (en) Dynamic management of consent and permissioning between executed applications and programmatic interfaces
KR102514325B1 (en) Model training system and method, storage medium
CN110414268B (en) Access control method, device, equipment and storage medium
US20230205849A1 (en) Digital and physical asset tracking and authentication via non-fungible tokens on a distributed ledger
EP3100171B1 (en) Client authentication using social relationship data
CN103544430B (en) Operation environment safety method and electronic operation system
US10833859B2 (en) Automating verification using secure encrypted phone verification
US10032037B1 (en) Establishing application trust levels using taint propagation as a service
CN104506487B (en) The credible execution method of privacy policy under cloud environment
US20190361992A1 (en) Terms of service platform using blockchain
WO2021098274A1 (en) Method and apparatus for evaluating risk of leakage of private data
US10193699B2 (en) Probabilistic classifiers for certificates
US20130185645A1 (en) Determining repeat website users via browser uniqueness tracking
US10540637B2 (en) Intelligent, context-based delivery of sensitive email content to mobile devices
CN109583226A (en) Data desensitization process method, apparatus and electronic equipment
US20150067772A1 (en) Apparatus, method and computer-readable storage medium for providing notification of login from new device
WO2020228564A1 (en) Application service method and device
CN117407834A (en) Data processing method based on block chain network and related equipment
CN107612763B (en) Metadata management method, application server, service system, medium and controller
CN113596600B (en) Security management method, device, equipment and storage medium for live broadcast embedded program
CN116405280A (en) Control method, device and equipment for user resource authority in risk detection process
US20230094066A1 (en) Computer-implemented systems and methods for application identification and authentication
CN118157896A (en) Data transmission method, data control device and related equipment
CN115525908A (en) Resource authority control method, device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20804914

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20804914

Country of ref document: EP

Kind code of ref document: A1