WO2021057982A1 - 应用程序的处理方法及相关产品 - Google Patents
应用程序的处理方法及相关产品 Download PDFInfo
- Publication number
- WO2021057982A1 WO2021057982A1 PCT/CN2020/118165 CN2020118165W WO2021057982A1 WO 2021057982 A1 WO2021057982 A1 WO 2021057982A1 CN 2020118165 W CN2020118165 W CN 2020118165W WO 2021057982 A1 WO2021057982 A1 WO 2021057982A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- module
- terminal
- service module
- service
- information
- Prior art date
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 85
- 230000001960 triggered effect Effects 0.000 claims abstract description 18
- 230000006870 function Effects 0.000 claims description 113
- 238000012795 verification Methods 0.000 claims description 33
- 230000004044 response Effects 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 56
- 238000004891 communication Methods 0.000 description 38
- 238000007726 management method Methods 0.000 description 30
- 230000005236 sound signal Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 12
- 238000010295 mobile communication Methods 0.000 description 11
- 210000000988 bone and bone Anatomy 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 9
- 238000009434 installation Methods 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000011068 loading method Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 229920001621 AMOLED Polymers 0.000 description 4
- 230000001133 acceleration Effects 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000036772 blood pressure Effects 0.000 description 2
- 230000001413 cellular effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003416 augmentation Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010009 beating Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000013529 biological neural network Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000001815 facial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000003862 health status Effects 0.000 description 1
- 230000001976 improved effect Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000010985 leather Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 239000002096 quantum dot Substances 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000003238 somatosensory effect Effects 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 230000008093 supporting effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
- 210000003462 vein Anatomy 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
- H04L2209/603—Digital right managament [DRM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Definitions
- This application relates to the technical field of application programs, in particular to an application processing method and related products.
- terminals such as mobile phones, tablet computers, and smart wearable devices have become popular.
- the terminal can help users realize various functions through various applications.
- the copyright protection of application programs has gradually received attention.
- the copyright protection of application programs is mainly aimed at the protection of application usage rights.
- the specific protection method is that the application program includes a digital rights management (digital rights management, DRM) module and a business module.
- DRM digital rights management
- the DRM module is used to protect the business module.
- the business module is used to realize the business function of the application, for example, the business module of the image processing application is used to realize the image processing function.
- the DRM module of the application first requests the DRM server to obtain the DRM signature.
- the DRM module of the application After the DRM module of the application obtains the DRM signature, the DRM module verifies whether the DRM signature is valid, such as If it is valid, the DRM module returns the authentication result of successful DRM authentication to the service module of the application. After the service module receives the authentication result of successful authentication, it realizes the service function of the application. However, if this protection method is adopted, unauthorized users only need to modify the authentication result returned by the DRM module to be a successful authentication, and then they can run the business module of the application at will to realize the business functions of the application. There are large loopholes in the protection of the usage rights of the business functions of the application.
- This application provides an application processing method and related products, which can effectively protect the usage rights of the business modules of the application.
- this application provides a method for processing an application program, the application program including one or more encrypted first service modules and unencrypted non-service modules.
- the method includes: first, when the non-service module obtains the first operation instruction of the first service module of the operation target triggered by the user, the terminal uses the non-service module to send a message to the Digital Rights Management (DRM) server Send a key acquisition request.
- the secret key acquisition request is used to request secret key information corresponding to the target first service module.
- the secret key information is fed back when the DRM server confirms that the user has the use right of the target first service module.
- the terminal obtains the secret key information sent by the DRM server by using the non-service module.
- the terminal uses the non-service module to decrypt the target first service module according to the secret key information, and executes the service function corresponding to the target first service module.
- the terminal since the first service module that needs to be protected is encrypted, the terminal needs to run the first service module to realize the corresponding service function, and must obtain the corresponding secret key information, and the conditions for obtaining the secret key information The user who uses the terminal must have the right to use the first service module. In this way, only users who have the right to use the first service module can use the service function of the first service module of the application program, so that the right to use the service function of the application program can be effectively protected.
- the secret key acquisition request includes the user information of the user and the module information of the target first service module, so that the DRM server can query the user's information according to the user information.
- Application permission information and determine whether the user has the use permission of the target first service module according to the application permission information and the module information.
- the DRM server can find the application permission information corresponding to the user according to the user information, so that the DRM server can use the application permission information of each user in the permission database, and check the use permission of each user to use the business module of the application. Control.
- the secret key acquisition request further includes verification information corresponding to the user information provided by the user, and the verification information is used by the DRM server to confirm the user before the query step. The information matches the verification information.
- the DRM server can verify whether the first operation instruction is triggered by the user corresponding to the user information, and prevent illegal users from obtaining the account information of the first user who has the right to use the target first service module and then using the first user
- the user information of the target obtains the secret key information of the target first service module from the DRM server.
- the method further includes: the terminal uses the non-service module to determine that the terminal does not have all The secret key information corresponding to the target first service module. Then, when the terminal has the secret key information corresponding to the target first service module, the non-business module may not need to send a secret key acquisition request to the DRM server, but can use the secret key information in the terminal to compare the target first service. The module is decrypted, so that the terminal can run the target first service module more quickly.
- the application program further includes an unencrypted second service module; the method further includes: when the non-service module obtains the second operation of the second service module triggered by the user When instructed, the terminal executes the service function corresponding to the second service module through the non-service module.
- One or more of the first business modules are used to implement part of the business functions of the application, and the second business modules are used to implement another part of the business functions of the application. In this way, it is possible to manage and control the usage rights of only part of the business functions of the application, making the way of managing the rights of the application more flexible.
- the non-service module includes a control module and a DRM module; the terminal uses the non-service module to send a key acquisition request to the DRM server, which specifically includes: the terminal uses the control module to send a request to the DRM server.
- the DRM module sends an authentication request; and the terminal uses the DRM module to send a secret key acquisition request to the DRM server according to the authentication request.
- the terminal receiving the secret key information sent by the DRM server by the non-service module specifically includes: the terminal receiving the secret key information sent by the DRM server by the DRM module.
- the terminal uses the non-service module to decrypt the target first service module according to the secret key information, and executes the service function corresponding to the target first service module includes: the terminal uses the DRM module according to The secret key information decrypts the target first service module, and sends an authentication response of successful authentication to the control module when the decryption is successful; and the control module receives the successful authentication of the authentication. In response to the right, the terminal uses the control module to execute the service function corresponding to the target first service module.
- the DRM module sends the authentication result of successful authentication to the control module, as long as the DRM module does not obtain the secret of the first service module.
- the first service module cannot be decrypted, so that only authorized users can use the service function corresponding to the first service module, effectively protecting the usage right of the service function of the application program.
- the terminal sending an authentication request to the DRM module by using the control module includes: the terminal displays a preset screen, and sending an authentication request to the DRM module through the control module .
- the control module receives the authentication response that the authentication is successful, the terminal uses the control module to execute the service function corresponding to the target first service module, which specifically includes: receiving at the control module
- the terminal stops displaying the preset screen, and uses the control module to execute the service function corresponding to the target first service module.
- the terminal displays a preset screen, which can prevent the terminal from being unable to run the target first service module immediately due to the secret key information, and causing the user to make mistakes. Think that the application is stuck.
- this application provides a terminal including a display screen, a memory, one or more processors, and multiple application programs.
- One or more programs are stored in the storage, and when one or more processors run the one or more programs, the terminal is caused to execute the processing method of the application program in any one of the possible implementation manners of the first aspect described above.
- an embodiment of the present application provides a computer storage medium, including computer instructions, which when the computer instructions run on a terminal, cause the terminal to execute the application processing method in any one of the possible implementations of the first aspect above .
- the embodiments of the present application provide a computer program product, which when the computer program product runs on a terminal, causes the terminal to execute the application processing method in any one of the possible implementations of the first aspect described above.
- FIG. 1 is a schematic diagram of a network architecture of an embodiment of the application
- FIG. 2 is a schematic structural diagram of a terminal provided by an embodiment of the application.
- FIG. 3 is a block diagram of the software structure of a terminal provided by an embodiment of the application.
- FIG. 4 is a schematic flowchart of an authentication method for an application program in the prior art
- FIG. 5 is a schematic flowchart of an application processing method provided by an embodiment of the application.
- FIG. 6 is a schematic diagram of an application scenario of an application processing method provided by an embodiment of the application.
- FIG. 7 is a schematic diagram of another application scenario of the application processing method provided by an embodiment of the application.
- FIG. 8 is a schematic diagram of another application scenario of the application processing method provided by the embodiment of the application.
- FIG. 9 is a schematic diagram of another application scenario of the application processing method provided by the embodiment of the application.
- FIG. 10 is a schematic diagram of still another application scenario of the application processing method provided by an embodiment of the application.
- first and second are only used for descriptive purposes, and cannot be understood as implying or implying relative importance or implicitly indicating the number of indicated technical features. Therefore, the features defined with “first” and “second” may explicitly or implicitly include one or more of these features. In the description of the embodiments of the present application, unless otherwise specified, “multiple” The meaning is two or more.
- FIG. 1 is a network architecture diagram provided by an embodiment of this application.
- the network architecture 100 includes a terminal 10, a digital rights management (DRM) server 20, and a communication link 30.
- the communication link 30 may be a wired communication link or a wireless communication link.
- the terminal 10 may include, but is not limited to, a personal computer, a smart phone, a smart wearable device, a smart TV, a tablet computer, a personal digital assistant, and so on.
- FIG. 2 shows a schematic diagram of the structure of the terminal 10.
- the terminal 10 shown in FIG. 2 is only an example, and the terminal 10 may have more or fewer components than those shown in FIG. 2, may combine two or more components, or may have Different component configurations.
- the various components shown in the figure may be implemented in hardware, software, or a combination of hardware and software including one or more signal processing and/or application specific integrated circuits.
- the terminal 10 may include: a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, and an antenna 2. , Mobile communication module 150, wireless communication module 160, audio module 170, speaker 170A, receiver 170B, microphone 170C, earphone jack 170D, sensor module 180, buttons 190, motor 191, indicator 192, camera 193, display screen 194, and Subscriber identification module (subscriber identification module, SIM) card interface 195, etc.
- SIM Subscriber identification module
- the sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, and ambient light Sensor 180L, bone conduction sensor 180M, etc.
- the structure illustrated in the embodiment of the present invention does not constitute a specific limitation on the terminal 10.
- the terminal 10 may include more or fewer components than shown in the figure, or combine certain components, or split certain components, or arrange different components.
- the illustrated components can be implemented in hardware, software, or a combination of software and hardware.
- the processor 110 may include one or more processing units.
- the processor 110 may include an application processor (AP), a modem processor, a graphics processing unit (GPU), and an image signal processor. (image signal processor, ISP), controller, memory, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural-network processing unit (NPU) Wait.
- AP application processor
- modem processor modem processor
- GPU graphics processing unit
- image signal processor image signal processor
- ISP image signal processor
- controller memory
- video codec digital signal processor
- DSP digital signal processor
- NPU neural-network processing unit
- the different processing units may be independent devices or integrated in one or more processors.
- the controller may be the nerve center and command center of the terminal 10.
- the controller can generate operation control signals according to the instruction operation code and timing signals to complete the control of fetching and executing instructions.
- a memory may also be provided in the processor 110 to store instructions and data.
- the memory in the processor 110 is a cache memory.
- the memory can store instructions or data that the processor 110 has just used or used cyclically. If the processor 110 needs to use the instruction or data again, it can be directly called from the memory. Repeated accesses are avoided, the waiting time of the processor 110 is reduced, and the efficiency of the system is improved.
- the processor 110 may include one or more interfaces.
- the interface may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, and a universal asynchronous transceiver (universal asynchronous) interface.
- I2C integrated circuit
- I2S integrated circuit built-in audio
- PCM pulse code modulation
- PCM pulse code modulation
- UART universal asynchronous transceiver
- MIPI mobile industry processor interface
- GPIO general-purpose input/output
- SIM subscriber identity module
- USB Universal Serial Bus
- the I2C interface is a bidirectional synchronous serial bus, which includes a serial data line (SDA) and a serial clock line (SCL).
- the processor 110 may include multiple sets of I2C buses.
- the processor 110 may couple the touch sensor 180K, the charger, the flash, the camera 193, etc., respectively through different I2C bus interfaces.
- the processor 110 may couple the touch sensor 180K through an I2C interface, so that the processor 110 and the touch sensor 180K communicate through the I2C bus interface, so as to realize the touch function of the terminal 10.
- the I2S interface can be used for audio communication.
- the processor 110 may include multiple sets of I2S buses.
- the processor 110 may be coupled with the audio module 170 through an I2S bus to implement communication between the processor 110 and the audio module 170.
- the audio module 170 may transmit audio signals to the wireless communication module 160 through an I2S interface, so as to realize the function of answering calls through a Bluetooth headset.
- the PCM interface can also be used for audio communication to sample, quantize and encode analog signals.
- the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface.
- the audio module 170 may also transmit audio signals to the wireless communication module 160 through the PCM interface, so as to realize the function of answering calls through the Bluetooth headset. Both the I2S interface and the PCM interface can be used for audio communication.
- the UART interface is a universal serial data bus used for asynchronous communication.
- the bus can be a two-way communication bus. It converts the data to be transmitted between serial communication and parallel communication.
- the UART interface is generally used to connect the processor 110 and the wireless communication module 160.
- the processor 110 communicates with the Bluetooth module in the wireless communication module 160 through the UART interface to realize the Bluetooth function.
- the audio module 170 may transmit audio signals to the wireless communication module 160 through a UART interface, so as to realize the function of playing music through a Bluetooth headset.
- the MIPI interface can be used to connect the processor 110 with the display screen 194, the camera 193 and other peripheral devices.
- the MIPI interface includes a camera serial interface (camera serial interface, CSI), a display serial interface (display serial interface, DSI), and so on.
- the processor 110 and the camera 193 communicate through a CSI interface to implement the shooting function of the terminal 10.
- the processor 110 and the display screen 194 communicate through a DSI interface to realize the display function of the terminal 10.
- the GPIO interface can be configured through software.
- the GPIO interface can be configured as a control signal or as a data signal.
- the GPIO interface can be used to connect the processor 110 with the camera 193, the display screen 194, the wireless communication module 160, the audio module 170, the sensor module 180, and so on.
- GPIO interface can also be configured as I2C interface, I2S interface, UART interface, MIPI interface and so on.
- the USB interface 130 is an interface that complies with the USB standard specification, and specifically may be a Mini USB interface, a Micro USB interface, a USB Type C interface, and so on.
- the USB interface 130 can be used to connect a charger to charge the terminal 10, and can also be used to transfer data between the terminal 10 and peripheral devices. It can also be used to connect headphones and play audio through the headphones. This interface can also be used to connect to other electronic devices, such as AR devices.
- the interface connection relationship between the modules illustrated in the embodiment of the present invention is merely a schematic description, and does not constitute a structural limitation of the terminal 10.
- the terminal 10 may also adopt different interface connection modes in the foregoing embodiments, or a combination of multiple interface connection modes.
- the charging management module 140 is used to receive charging input from the charger.
- the charger can be a wireless charger or a wired charger.
- the charging management module 140 may receive the charging input of the wired charger through the USB interface 130.
- the charging management module 140 may receive the wireless charging input through the wireless charging coil of the terminal 10. While the charging management module 140 charges the battery 142, it can also supply power to the electronic device through the power management module 141.
- the power management module 141 is used to connect the battery 142, the charging management module 140 and the processor 110.
- the power management module 141 receives input from the battery 142 and/or the charge management module 140, and supplies power to the processor 110, the internal memory 121, the external memory, the display screen 194, the camera 193, and the wireless communication module 160.
- the power management module 141 can also be used to monitor parameters such as battery capacity, battery cycle times, and battery health status (leakage, impedance).
- the power management module 141 may also be provided in the processor 110.
- the power management module 141 and the charging management module 140 may also be provided in the same device.
- the wireless communication function of the terminal 10 can be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, the modem processor, and the baseband processor.
- the antenna 1 and the antenna 2 are used to transmit and receive electromagnetic wave signals.
- Each antenna in the terminal 10 can be used to cover a single or multiple communication frequency bands. Different antennas can also be reused to improve antenna utilization.
- Antenna 1 can be multiplexed as a diversity antenna of a wireless local area network.
- the antenna can be used in combination with a tuning switch.
- the mobile communication module 150 may provide a wireless communication solution including 2G/3G/4G/5G and the like applied to the terminal 10.
- the mobile communication module 150 may include at least one filter, switch, power amplifier, low noise amplifier (LNA), etc.
- the mobile communication module 150 can receive electromagnetic waves by the antenna 1, and perform processing such as filtering, amplifying and transmitting the received electromagnetic waves to the modem processor for demodulation.
- the mobile communication module 150 can also amplify the signal modulated by the modem processor, and convert it into electromagnetic wave radiation via the antenna 1.
- at least part of the functional modules of the mobile communication module 150 may be provided in the processor 110.
- at least part of the functional modules of the mobile communication module 150 and at least part of the modules of the processor 110 may be provided in the same device.
- the modem processor may include a modulator and a demodulator.
- the modulator is used to modulate the low frequency baseband signal to be sent into a medium and high frequency signal.
- the demodulator is used to demodulate the received electromagnetic wave signal into a low-frequency baseband signal. Then the demodulator transmits the demodulated low-frequency baseband signal to the baseband processor for processing. After the low-frequency baseband signal is processed by the baseband processor, it is passed to the application processor.
- the application processor outputs a sound signal through an audio device (not limited to the speaker 170A, the receiver 170B, etc.), or displays an image or video through the display screen 194.
- the modem processor may be an independent device. In other embodiments, the modem processor may be independent of the processor 110 and be provided in the same device as the mobile communication module 150 or other functional modules.
- the wireless communication module 160 can provide applications on the terminal 10 including wireless local area networks (WLAN) (such as wireless fidelity (Wi-Fi) networks), bluetooth (BT), and global navigation satellite systems. (global navigation satellite system, GNSS), frequency modulation (FM), near field communication (NFC), infrared technology (infrared, IR) and other wireless communication solutions.
- WLAN wireless local area networks
- BT Bluetooth
- GNSS global navigation satellite system
- FM frequency modulation
- NFC near field communication
- IR infrared technology
- the wireless communication module 160 may be one or more devices integrating at least one communication processing module.
- the wireless communication module 160 receives electromagnetic waves via the antenna 2, frequency modulates and filters the electromagnetic wave signals, and sends the processed signals to the processor 110.
- the wireless communication module 160 may also receive the signal to be sent from the processor 110, perform frequency modulation, amplify it, and convert it into electromagnetic waves to radiate through the antenna 2.
- the antenna 1 of the terminal 10 is coupled with the mobile communication module 150, and the antenna 2 is coupled with the wireless communication module 160, so that the terminal 10 can communicate with the network and other devices through wireless communication technology.
- the wireless communication technology may include global system for mobile communications (GSM), general packet radio service (GPRS), code division multiple access (CDMA), broadband Code division multiple access (wideband code division multiple access, WCDMA), time-division code division multiple access (TD-SCDMA), long term evolution (LTE), BT, GNSS, WLAN, NFC , FM, and/or IR technology, etc.
- the GNSS may include global positioning system (GPS), global navigation satellite system (GLONASS), Beidou navigation satellite system (BDS), quasi-zenith satellite system (quasi -zenith satellite system, QZSS) and/or satellite-based augmentation systems (SBAS).
- GPS global positioning system
- GLONASS global navigation satellite system
- BDS Beidou navigation satellite system
- QZSS quasi-zenith satellite system
- SBAS satellite-based augmentation systems
- the terminal 10 implements a display function through a GPU, a display screen 194, and an application processor.
- the GPU is a microprocessor for image processing, connected to the display 194 and the application processor.
- the GPU is used to perform mathematical and geometric calculations for graphics rendering.
- the processor 110 may include one or more GPUs, which execute program instructions to generate or change display information.
- the display screen 194 is used to display images, videos, and the like.
- the display screen 194 includes a display panel.
- the display panel can use liquid crystal display (LCD), organic light-emitting diode (OLED), active matrix organic light-emitting diode or active-matrix organic light-emitting diode (active-matrix organic light-emitting diode).
- LCD liquid crystal display
- OLED organic light-emitting diode
- active-matrix organic light-emitting diode active-matrix organic light-emitting diode
- AMOLED flexible light-emitting diode (FLED), Miniled, MicroLed, Micro-oLed, quantum dot light-emitting diode (QLED), etc.
- the terminal 10 may include one or N display screens 194, and N is a positive integer greater than one.
- the terminal 10 can realize a shooting function through an ISP, a camera 193, a video codec, a GPU, a display screen 194, and an application processor.
- the ISP is used to process the data fed back by the camera 193. For example, when taking a picture, the shutter is opened, the light is transmitted to the photosensitive element of the camera through the lens, the light signal is converted into an electrical signal, and the photosensitive element of the camera transmits the electrical signal to the ISP for processing and is converted into an image visible to the naked eye.
- ISP can also optimize the image noise, brightness, and skin color. ISP can also optimize the exposure, color temperature and other parameters of the shooting scene.
- the ISP may be provided in the camera 193.
- the camera 193 is used to capture still images or videos.
- the object generates an optical image through the lens and is projected to the photosensitive element.
- the photosensitive element may be a charge coupled device (CCD) or a complementary metal-oxide-semiconductor (CMOS) phototransistor.
- CMOS complementary metal-oxide-semiconductor
- the photosensitive element converts the optical signal into an electrical signal, and then transfers the electrical signal to the ISP to convert it into a digital image signal.
- ISP outputs digital image signals to DSP for processing.
- DSP converts digital image signals into standard RGB, YUV and other formats of image signals.
- the terminal 10 may include one or N cameras 193, and N is a positive integer greater than one.
- Digital signal processors are used to process digital signals. In addition to digital image signals, they can also process other digital signals. For example, when the terminal 10 selects the frequency point, the digital signal processor is used to perform Fourier transform on the energy of the frequency point.
- Video codecs are used to compress or decompress digital video.
- the terminal 10 may support one or more video codecs. In this way, the terminal 10 can play or record videos in multiple encoding formats, such as: moving picture experts group (MPEG) 1, MPEG2, MPEG3, MPEG4, and so on.
- MPEG moving picture experts group
- MPEG2 MPEG2, MPEG3, MPEG4, and so on.
- NPU is a neural-network (NN) computing processor.
- NN neural-network
- applications such as intelligent cognition of the terminal 10 can be realized, such as image recognition, face recognition, voice recognition, text understanding, and so on.
- the external memory interface 120 may be used to connect an external memory card, such as a Micro SD card, to expand the storage capacity of the terminal 10.
- the external memory card communicates with the processor 110 through the external memory interface 120 to realize the data storage function. For example, save music, video and other files in an external memory card.
- the internal memory 121 may be used to store computer executable program code, where the executable program code includes instructions.
- the processor 110 executes various functional applications and data processing of the terminal 10 by running instructions stored in the internal memory 121.
- the internal memory 121 may include a storage program area and a storage data area.
- the storage program area can store an operating system, at least one application program (such as a sound playback function, an image playback function, etc.) required by at least one function.
- the data storage area can store data (such as audio data, phone book, etc.) created during the use of the terminal 10.
- the internal memory 121 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, a universal flash storage (UFS), and the like.
- UFS universal flash storage
- the terminal 10 can implement audio functions through the audio module 170, the speaker 170A, the receiver 170B, the microphone 170C, the earphone interface 170D, and the application processor. For example, music playback, recording, etc.
- the audio module 170 is used to convert digital audio information into an analog audio signal for output, and is also used to convert an analog audio input into a digital audio signal.
- the audio module 170 can also be used to encode and decode audio signals.
- the audio module 170 may be provided in the processor 110, or part of the functional modules of the audio module 170 may be provided in the processor 110.
- the speaker 170A also called “speaker” is used to convert audio electrical signals into sound signals.
- the terminal 10 can listen to music through the speaker 170A, or listen to a hands-free call.
- the receiver 170B also called “earpiece” is used to convert audio electrical signals into sound signals.
- the terminal 10 answers a call or voice message, it can receive the voice by bringing the receiver 170B close to the human ear.
- the microphone 170C also called “microphone”, “microphone”, is used to convert sound signals into electrical signals.
- the user can make a sound by approaching the microphone 170C through the human mouth, and input the sound signal into the microphone 170C.
- the terminal 10 may be provided with at least one microphone 170C. In other embodiments, the terminal 10 may be provided with two microphones 170C, which can implement noise reduction functions in addition to collecting sound signals. In other embodiments, the terminal 10 may also be provided with three, four or more microphones 170C to collect sound signals, reduce noise, identify sound sources, and realize directional recording functions.
- the earphone interface 170D is used to connect wired earphones.
- the earphone interface 170D may be a USB interface 130, or a 3.5mm open mobile terminal platform (OMTP) standard interface, and a cellular telecommunications industry association (cellular telecommunications industry association of the USA, CTIA) standard interface.
- OMTP open mobile terminal platform
- CTIA cellular telecommunications industry association of the USA, CTIA
- the pressure sensor 180A is used to sense the pressure signal and can convert the pressure signal into an electrical signal.
- the pressure sensor 180A may be provided on the display screen 194.
- the capacitive pressure sensor may include at least two parallel plates with conductive materials. When a force is applied to the pressure sensor 180A, the capacitance between the electrodes changes. The terminal 10 determines the strength of the pressure according to the change in capacitance. When a touch operation acts on the display screen 194, the terminal 10 detects the intensity of the touch operation according to the pressure sensor 180A. The terminal 10 may also calculate the touched position based on the detection signal of the pressure sensor 180A.
- touch operations that act on the same touch position but have different touch operation strengths may correspond to different operation instructions. For example, when a touch operation whose intensity of the touch operation is less than the first pressure threshold is applied to the short message application icon, an instruction to view the short message is executed. When a touch operation with a touch operation intensity greater than or equal to the first pressure threshold acts on the short message application icon, an instruction to create a new short message is executed.
- the gyro sensor 180B may be used to determine the motion posture of the terminal 10. In some embodiments, the angular velocity of the terminal 10 around three axes (ie, x, y, and z axes) can be determined by the gyro sensor 180B.
- the gyro sensor 180B can be used for image stabilization. Exemplarily, when the shutter is pressed, the gyroscope sensor 180B detects the shake angle of the terminal 10, calculates the distance that the lens module needs to compensate according to the angle, and allows the lens to counteract the shake of the terminal 10 through reverse movement to achieve anti-shake.
- the gyro sensor 180B can also be used for navigation and somatosensory game scenes.
- the air pressure sensor 180C is used to measure air pressure.
- the terminal 10 calculates the altitude based on the air pressure value measured by the air pressure sensor 180C to assist positioning and navigation.
- the magnetic sensor 180D includes a Hall sensor.
- the terminal 10 can use the magnetic sensor 180D to detect the opening and closing of the flip holster.
- the terminal 10 when the terminal 10 is a flip machine, the terminal 10 can detect the opening and closing of the flip according to the magnetic sensor 180D.
- features such as automatic unlocking of the flip cover are set.
- the acceleration sensor 180E can detect the magnitude of the acceleration of the terminal 10 in various directions (generally three axes). When the terminal 10 is stationary, the magnitude and direction of gravity can be detected. It can also be used to identify the posture of electronic devices, and be used in applications such as horizontal and vertical screen switching, pedometers and so on.
- the terminal 10 can measure the distance by infrared or laser. In some embodiments, when shooting a scene, the terminal 10 may use the distance sensor 180F to measure the distance to achieve fast focusing.
- the proximity light sensor 180G may include, for example, a light emitting diode (LED) and a light detector such as a photodiode.
- the light emitting diode may be an infrared light emitting diode.
- the terminal 10 emits infrared light to the outside through the light emitting diode.
- the terminal 10 uses a photodiode to detect infrared reflected light from nearby objects. When sufficient reflected light is detected, it can be determined that there is an object near the terminal 10. When insufficient reflected light is detected, the terminal 10 can determine that there is no object near the terminal 10.
- the terminal 10 can use the proximity light sensor 180G to detect that the user holds the terminal 10 close to the ear to talk, so as to automatically turn off the screen to save power.
- the proximity light sensor 180G can also be used in leather case mode, and the pocket mode will automatically unlock and lock the screen.
- the ambient light sensor 180L is used to sense the brightness of the ambient light.
- the terminal 10 can adaptively adjust the brightness of the display screen 194 according to the perceived brightness of the ambient light.
- the ambient light sensor 180L can also be used to automatically adjust the white balance when taking pictures.
- the ambient light sensor 180L can also cooperate with the proximity light sensor 180G to detect whether the terminal 10 is in a pocket to prevent accidental touch.
- the fingerprint sensor 180H is used to collect fingerprints.
- the terminal 10 can use the collected fingerprint characteristics to implement fingerprint unlocking, access application locks, fingerprint photographs, fingerprint answering calls, and so on.
- the temperature sensor 180J is used to detect temperature.
- the terminal 10 uses the temperature detected by the temperature sensor 180J to execute a temperature processing strategy. For example, when the temperature reported by the temperature sensor 180J exceeds a threshold value, the terminal 10 executes to reduce the performance of the processor located near the temperature sensor 180J, so as to reduce power consumption and implement thermal protection.
- the terminal 10 when the temperature is lower than another threshold, the terminal 10 heats the battery 142 to prevent the terminal 10 from shutting down abnormally due to low temperature.
- the terminal 10 boosts the output voltage of the battery 142 to avoid abnormal shutdown caused by low temperature.
- Touch sensor 180K also called “touch panel”.
- the touch sensor 180K may be disposed on the display screen 194, and the touch screen is composed of the touch sensor 180K and the display screen 194, which is also called a “touch screen”.
- the touch sensor 180K is used to detect touch operations acting on or near it.
- the touch sensor can pass the detected touch operation to the application processor to determine the type of touch event.
- the visual output related to the touch operation can be provided through the display screen 194.
- the touch sensor 180K may also be disposed on the surface of the terminal 10, which is different from the position of the display screen 194.
- the bone conduction sensor 180M can acquire vibration signals.
- the bone conduction sensor 180M can obtain the vibration signal of the vibrating bone mass of the human voice.
- the bone conduction sensor 180M can also contact the human pulse and receive the blood pressure pulse signal.
- the bone conduction sensor 180M may also be provided in the earphone, combined with the bone conduction earphone.
- the audio module 170 can parse the voice signal based on the vibration signal of the vibrating bone block of the voice obtained by the bone conduction sensor 180M, and realize the voice function.
- the application processor may analyze the heart rate information based on the blood pressure beating signal obtained by the bone conduction sensor 180M, and realize the heart rate detection function.
- the button 190 includes a power-on button, a volume button, and so on.
- the button 190 may be a mechanical button. It can also be a touch button.
- the terminal 10 can receive key input, and generate key signal input related to user settings and function control of the terminal 10.
- the motor 191 can generate vibration prompts.
- the motor 191 can be used for incoming call vibration notification, and can also be used for touch vibration feedback.
- touch operations that act on different applications can correspond to different vibration feedback effects.
- Acting on touch operations in different areas of the display screen 194, the motor 191 can also correspond to different vibration feedback effects.
- Different application scenarios for example: time reminding, receiving information, alarm clock, games, etc.
- the touch vibration feedback effect can also support customization.
- the indicator 192 may be an indicator light, which may be used to indicate the charging status, power change, or to indicate messages, missed calls, notifications, and so on.
- the SIM card interface 195 is used to connect to the SIM card.
- the SIM card can be inserted into the SIM card interface 195 or pulled out from the SIM card interface 195 to achieve contact and separation with the terminal 10.
- the terminal 10 may support 1 or N SIM card interfaces, and N is a positive integer greater than 1.
- the SIM card interface 195 can support Nano SIM cards, Micro SIM cards, SIM cards, etc.
- the same SIM card interface 195 can insert multiple cards at the same time. The types of the multiple cards can be the same or different.
- the SIM card interface 195 can also be compatible with different types of SIM cards.
- the SIM card interface 195 may also be compatible with external memory cards.
- the terminal 10 interacts with the network through the SIM card to implement functions such as call and data communication.
- the terminal 10 adopts an eSIM, that is, an embedded SIM card.
- the eSIM card can be embedded in the terminal 10 and cannot be separated from the terminal 10.
- the software system of the terminal 10 may adopt a layered architecture, an event-driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture.
- the embodiment of the present invention takes an Android system with a layered architecture as an example to illustrate the software structure of the terminal 10 by way of example.
- FIG. 3 is a block diagram of the software structure of the terminal 10 according to an embodiment of the present invention.
- the layered architecture divides the software into several layers, and each layer has a clear role and division of labor. Communication between layers through software interface.
- the Android system is divided into four layers, from top to bottom, the application layer, the application framework layer, the Android runtime and system library, and the kernel layer.
- the application layer can include a series of application packages.
- one of the applications includes a control module, a DRM module, and one or more encrypted first business modules.
- the first business module is used to implement the business functions of the application, and the control module is used to control the DRM module pairing.
- the first service module decrypts and controls the operation of the first service module after the decryption.
- the control module may include, for example, the Application class and initialization code called by it, such as reading configuration items, initializing database connections, and so on.
- the application framework layer provides an application programming interface (application programming interface, API) and a programming framework for applications in the application layer.
- the application framework layer includes some predefined functions.
- the application framework layer can include a window manager, a content provider, a view system, a phone manager, a resource manager, a notification manager, and so on.
- the window manager is used to manage window programs.
- the window manager can obtain the size of the display, determine whether there is a status bar, lock the screen, take a screenshot, etc.
- the content provider is used to store and retrieve data and make these data accessible to applications.
- the data may include videos, images, audios, phone calls made and received, browsing history and bookmarks, phone book, etc.
- the view system includes visual controls, such as controls that display text, controls that display pictures, and so on.
- the view system can be used to build applications.
- the display interface can be composed of one or more views.
- a display interface that includes a short message notification icon may include a view that displays text and a view that displays pictures.
- the phone manager is used to provide the communication function of the terminal 10. For example, the management of the call status (including connecting, hanging up, etc.).
- the resource manager provides various resources for the application, such as localized strings, icons, pictures, layout files, video files, and so on.
- the notification manager enables the application to display notification information in the status bar, which can be used to convey notification-type messages, and it can disappear automatically after a short stay without user interaction.
- the notification manager is used to notify download completion, message reminders, and so on.
- the notification manager can also be a notification that appears in the status bar at the top of the system in the form of a chart or a scroll bar text, such as a notification of an application running in the background, or a notification that appears on the screen in the form of a dialog window. For example, text messages are prompted in the status bar, prompt sounds, electronic devices vibrate, and indicator lights flash.
- Android Runtime includes core libraries and virtual machines. Android runtime is responsible for the scheduling and management of the Android system.
- the core library consists of two parts: one part is the function functions that the java language needs to call, and the other part is the core library of Android.
- the application layer and application framework layer run in the Android virtual machine (DALVIK).
- the Android virtual machine executes the java files in the application layer and the application framework layer as binary files.
- the Android virtual machine is used to perform functions such as object life cycle management, stack management, thread management, security and exception management, and garbage collection.
- the system library can include multiple functional modules. For example: surface manager (surface manager), media library (Media Libraries), three-dimensional graphics processing library (for example: OpenGL ES), 2D graphics engine (for example: SGL), etc.
- the surface manager is used to manage the display subsystem and provides a combination of 2D and 3D layers for multiple applications.
- the media library supports playback and recording of a variety of commonly used audio and video formats, as well as still image files.
- the media library can support a variety of audio and video encoding formats, such as: MPEG4, H.264, MP3, AAC, AMR, JPG, PNG, etc.
- the 3D graphics processing library is used to realize 3D graphics drawing, image rendering, synthesis, and layer processing.
- the 2D graphics engine is a drawing engine for 2D drawing.
- the kernel layer is the layer between hardware and software.
- the kernel layer contains at least display driver, camera driver, audio driver, and sensor driver.
- Digital Rights Management refers to some technologies used by publishers to control the use rights of protected objects, and are used to handle digital content (such as software, music, movies) and use rights for digital products To manage.
- DRM protection technology can control and restrict the right to use these digital contents.
- the key to copyright protection of software or applications is to prevent unauthorized users from performing part or all of the functions of the protected application. That is, the key to copyright protection of software or applications is the use of software or applications. Manage permissions without restricting the copying of software/applications.
- FIG. 4 is a schematic diagram of a process of digital rights management of an application program in the prior art.
- the application program includes a DRM module and a service module.
- the DRM module is used to protect the copyright of the business module by managing the usage rights of the business module.
- the business module is used to implement the business functions of the application, for example, the business module of the image processing application software is used to implement the image processing function.
- the specific copyright protection methods are:
- S401 The service module of the terminal obtains the user's startup operation for the application.
- the terminal starts the application in response to the user's starting operation for the application, and the service module in the application sends an authentication request to the DRM module.
- the authentication request is used to instruct the DRN module to identify whether the user has the right to use the service module.
- the DRM module sends a DRM signature acquisition request to the DRM server according to the authentication request.
- the DRM server After confirming that the user has purchased the application, the DRM server sends the DRM signature of the application to the terminal.
- the DRM module verifies whether the DRM signature is legal
- the service module confirms whether to perform the corresponding service function according to the authentication result, so that unauthorized users can modify the verification result sent by the DRM module to the service module by illegal means to be a successful verification.
- the DRM module has not obtained the DRM signature, and the service module can still operate normally. Unauthorized users only need to modify the verification result sent by the DRM module to the business module to use the business functions of the application at will, and the use authority of the business module of the application cannot be protected.
- the present application provides a processing method for an application program, the application program including a control module, a DRM module, and one or more encrypted first service modules.
- the control module and DRM module are unencrypted.
- the control module is used to control the operation of the first service module to realize part or all of the service functions of the application program.
- the business functions of a picture processing application include opening pictures, editing pictures, and saving pictures.
- the DRM module is used to obtain the secret key of the first service module and decrypt the first service module.
- the control module of the application program when the control module of the application program obtains the first running instruction of the first service module of the running target triggered by the user, the control module sends an authentication request to the DRM module.
- the DRM module sends a secret key acquisition request to the DRM server according to the authentication request.
- the secret key acquisition request may include the user information of the user and the module information of the target first service module.
- the DRM server After confirming that the user has the use authority of the target first service module according to the user information and the module information, the DRM server sends the secret key information of the target first service module to the terminal. After obtaining the secret key information, the DRM module decrypts the target first service module and sends an authentication response to the control module when the decryption is successful.
- the control module then executes the business function corresponding to the target first business module.
- the DRM module sends the authentication result of successful authentication to the control module, as long as the DRM module does not obtain the secret of the first service module.
- the first service module cannot be decrypted, so that only authorized users can use the service function corresponding to the first service module, effectively protecting the usage right of the service function of the application program.
- control module and the DRM module can be combined into one module, for example, the control module and the DRM module can be combined into a non-service module.
- the terminal uses the non-service module to send a key acquisition request to the DRM server.
- the secret key acquisition request is used to request the DRM server to return the secret key information of the target first service module when confirming that the user has the use authority of the target first service module.
- the non-business module is used to obtain the secret key information sent by the DRM server, and then the first business module is decrypted according to the secret key information, and the business function corresponding to the target first business module is executed.
- the following specifically introduces an application processing method provided in this application.
- the application program includes a control module, a DRM module, and one or more first service modules that are respectively encrypted.
- the control module is used to control the DRM module to decrypt the first service module and control the operation of the first service module after decryption, so as to realize the service function corresponding to the first service module.
- the control module may include, for example, the Application class and initialization code called by it, such as reading configuration items, initializing database connections, and so on.
- the first service module is used to implement the service function of the application program.
- each first business module is used to implement different business functions.
- a picture processing application includes an opening business module for realizing the business function of opening pictures, an editing business module for realizing the business function of editing pictures, and a saving business module for realizing the business function of saving pictures.
- the opening service module, the editing service module, and the saving service module are all encrypted together, it can be considered that the image processing application includes a first service module.
- the one first business module is used to realize the business function of opening the picture, the business function of editing the picture, and the business function of saving the picture.
- the open service module, the edit service module, and the save service module are encrypted separately, the image processing application includes multiple first service modules, namely the open service module, the edit service module, and the save service module, and each first service Modules are used to implement different business functions of image processing applications.
- the method includes but is not limited to the following steps:
- the control module acquires a first running instruction of a first service module of a running target triggered by a user.
- the application is a picture processing application.
- the image processing application includes three first business modules that are encrypted separately, which are an open business module for realizing the business function of opening pictures, an editing business module for realizing the business function of editing pictures, and an editing business module for realizing the business function of saving pictures. Save the business module.
- the touch screen of the terminal displays the interface 600 of the image processing application program.
- the interface includes an open control 601 for triggering the operation and opening of the service module, an editing control 602 for triggering the operation of the editing service module, and an editing control 602 for triggering the operation and saving service module.
- the control module obtains the click operation through the touch display screen, and then confirms that the first operation instruction to run the open business module is obtained, and the open business module is the target first Business module. It can be understood that, although this application uses a touch screen as an example for introduction, this does not constitute a limitation.
- the control module can use the start instruction triggered by the user to start the application program as the first running instruction, and The one first service module serves as the target first service module.
- a picture processing application includes three business functions: opening pictures, editing pictures, and saving pictures.
- the picture processing application program includes a control module, a DRM module and an encrypted first service module.
- the first business module is used to implement all business functions of the image processing application.
- the open business module used to realize the business function of opening pictures, the editing business module used to realize the business function of editing pictures, and the saving business module used to realize the business function of saving pictures are all encrypted together.
- the control module can take the user-triggered start instruction to start the image processing application as the first running instruction. As shown in FIG.
- the terminal may display the main interface 700, including the image processing application icon 701 of the image processing application, the first chat application icon 702, the second chat application icon 703, the gallery application icon 704, the setting application icon 705, Camera application icon 706.
- the user can click the image processing application icon 701 to trigger a start instruction to start the image processing application.
- the operating system of the terminal obtains the user-triggered start instruction to start the image processing application, it starts the application, first runs the control module of the image processing application, and loads the control module into the Android virtual machine to run.
- the control module confirms that the first running instruction is acquired according to the start instruction.
- the control module sends an authentication request to the DRM module in response to the first running instruction.
- the control module sends an authentication request to the DRM module according to the running instruction.
- the authentication request is used to request the DRM module to verify whether the user has the right to use the target first service module.
- the authentication request includes the module information corresponding to the target first service module.
- the module information may be, for example, the service module identifier of the target first service module.
- the service module identifier is a unique identifier that can indicate the target first service module.
- the control module can call the com.huawei.DrmSDK.decryptPackage method in the attachBaseContext method of the Application class. In this way, the control module can call the DRM module and send an authentication request to the control module.
- the DRM module sends a secret key acquisition request to the DRM server according to the authentication request.
- the secret key acquisition request includes the user information of the user and the module information.
- the user information may include user identification information capable of representing the identity of the user.
- the DRM server can find the application authority information corresponding to the user according to the user information.
- the user identification information may be the unique identification information used to indicate the identity of the user.
- the unique identification information may be, for example, but not limited to, the card identification information of the user identification card (SIM card) of the terminal, the user account when the user downloads the application from the application download platform, the user's email account, and the user's Payment platform's payment ID, bank card number, ID number, etc.
- the DRM module Before the DRM module sends the secret key acquisition request to the DRM server according to the authentication request, it can display the user information input box on the display screen of the terminal by calling the standard function interface provided by the operating system for displaying the input box. The user can input user identification information in the user information input box through the operating terminal.
- the image processing application includes a plurality of first service modules encrypted respectively, which are respectively opening the service module, editing the service module, and saving the service module.
- the touch screen of the terminal displays an interface 800.
- the interface 800 includes an open control 801 for triggering the running and opening of the business module, an editing control 802 for triggering the running and editing of the business module, and Run the save control 803 of the save service module.
- the control module of the image processing application confirms that it has obtained the first operation instruction to open the business module, and then the business is opened.
- the module serves as the target first business module.
- the control module sends an authentication request to the DRM module of the image processing application.
- the DRM module calls the standard function interface used by the operating system to display the input box, and displays the user information input box 804 on the interface 800.
- the user can input user identification information in the user information input box 804 through the operating terminal.
- the user identification information for example, It can be a user account.
- the DRM module then obtains the user identification information input by the user in the input box 804 according to the standard function interface.
- the input box may also be displayed on other interfaces.
- the control can trigger the user to trigger the startup instruction to start the application As the first operation instruction, and use the one first service module as the target first service module.
- the interface displayed on the terminal displays an input box when the user triggers the startup instruction to start the application program.
- the foregoing interface for displaying the input box is only used for illustration, and in this application, the interface for displaying the input box is not limited.
- the module information and secret key information corresponding to the target first service module can be stored in the terminal for a preset period of time (for example, 0.5 hours). , 1 hour, 2 hours, 3.5 hours, 6 hours, 24 hours, etc.). Specifically, the DRM module may save the module information and secret key information corresponding to the target first service module in the memory of the terminal. When the duration of the module information and secret key information stored in the terminal exceeds the preset duration, the DRM module deletes the module information and secret key information.
- the DRM module After the DRM module receives the authentication request sent by the control module, before step 503, the DRM module can search the terminal for the secret key information corresponding to the module information in the authentication request.
- the DRM module decrypts the target first service module according to the secret key information, and sends an authentication response of successful authentication to the control module when the decryption is successful.
- the DRM module executes step 503 and sends a secret key acquisition request to the DRM server according to the authentication request.
- the DRM module can search for the target first service module from the terminal.
- the secret key information corresponding to the service module does not need to obtain secret key information from the DRM server. This can improve the operating efficiency of the application.
- the DRM module deletes the secret key information, which can prevent the secret key information from being stored in the terminal for a long time and causing the secret key information to leak. For example, after exiting the application, the user may reopen the application and run the target first service module within a short time. In this case, the DRM module does not need to retrieve the secret key information from the DMR server, so that the terminal The target first business module can be run more quickly.
- the DRM server receives the secret key acquisition request, and determines whether the user has the right to use the target first service module according to the secret key acquisition request;
- the DRM server can query the permission information of the application corresponding to the user information from the permission database, and then judge the user by judging whether the permission information of the application corresponding to the user information includes the module information in the secret key acquisition request. Whether you have the right to use the first business module of the target.
- the authority database stores user information of multiple users and application authority information corresponding to each user information.
- the application permission information corresponding to each user information includes the module information of the first service module for which the user corresponding to the user information has the use permission.
- the module information of the first business module may include, for example, the unique identification information of the first business module, and may also include the application unique identification information of the application corresponding to the first business module and the business model keywords of the first business module.
- the application permission information corresponding to each user information may be determined according to the purchase record of the user corresponding to the user information. For example, if the user Y purchases the application M and obtains the use permission of a first service module K of the application M, then the application permission information corresponding to the user information of the user Y in the permission database includes the first service module K Module information.
- the application permission information corresponding to the user information includes the module information in the key acquisition request, confirm that the user has the use permission of the target first service module; when the module information corresponding to the user information does not include the secret key acquisition When requesting the module information, it is confirmed that the user does not have the right to use the target first service module.
- the DRM server can obtain the user identity information of the user according to the user information, and according to the user identity information, determine whether the user has the right to use the target first service module.
- the user identity information may include, but is not limited to, any one or more of the user's age, gender, and residential area, for example.
- the authority database stores the identity information requirements required by the use authority of the first business module of each application program.
- the DRM server can obtain the user identity information of the user according to the user information. For example, when the user information contains user identity information, the DRM server can extract the user identity information from the user information; when the user information does not contain user identity information, the DRM server can also use the user information (such as user identification information), Query the user identity information of the user from the identity information database.
- the DRM server may obtain the identity information requirement corresponding to the target first service module from the authorization database according to the module information in the secret key obtaining request, and determine whether the user identity information meets the identity information requirement corresponding to the target first service module. If it does, the DRM server can confirm that the user has the right to use the target first service module; if it doesn't, the DRM server confirms that the user does not have the right to use the target first service module.
- the secret key acquisition request may also include verification information corresponding to the user information.
- the verification information may include, for example, one or more of password information, biometric information, and gesture information.
- the biometric information may include, but is not limited to, fingerprint information, facial feature information, vein information, iris information, and so on.
- the DRM module can display the information input box on the terminal by invoking the operating system's standard function interface used to provide the input box.
- the DRM module obtains the user information and verification information entered by the user in the user information input box.
- the user information input by the user may be, for example, user identification information of the user.
- the DRM module can call the operating system's standard function interface for collecting biometrics to collect the user's biometric information.
- the DRM module can call a standard function interface for collecting fingerprint information to collect the user's fingerprint information.
- the DRM module can save the user information and the corresponding verification information in the memory of the terminal and set the validity period.
- the DRM module deletes the user information and the verification information. In this way, when the DRM module needs to obtain the user information and the corresponding verification information of the user again within the validity period, it can be directly obtained from the memory of the terminal without the need for the user to input again. This can simplify user operations and also enable the terminal to run the target first service module more quickly.
- the DRM module After obtaining the user information and the corresponding verification information, the DRM module sends the user information and the verification information to the DRM server along with the secret key acquisition request.
- the DRM server verifies whether the verification information in the key acquisition request matches the user information. If there is a match, the DRM server confirms that the user information corresponds to the user who issued the run instruction, and further determines whether the user has the right to use the target first service module; if it does not match the DRM server, you do not need to determine to continue the user Whether you have the right to use the first business module of the target.
- the DRM server can verify whether the first operation instruction is triggered by the user corresponding to the user information, and prevent illegal users from obtaining the account information of the first user who has the right to use the target first service module and then using the first user
- the user information of the target obtains the secret key information of the target first service module from the DRM server.
- the DRM server multiple user information and pre-stored verification information matching each user information are stored.
- the DRM server determines whether the verification information in the key acquisition request matches the user information, it can first determine whether the verification information in the key acquisition request matches the pre-stored verification information corresponding to the user information. If they match, it is determined that the verification information in the key acquisition request matches the user information; if they do not match, it is determined that the verification information in the key acquisition request does not match the user information.
- the DRM server stores multiple user information and pre-stored fingerprint information matching each user information.
- the DRM module calls the fingerprint recognition module of the terminal through the standard function interface of the operating system to collect the user's fingerprint information as verification information, and sends the user information and the fingerprint information along with the secret key acquisition request to the DRM server.
- the DRM server determines whether the fingerprint information in the key acquisition request matches the pre-stored fingerprint information corresponding to the user information. If they match, it determines that the verification information in the key acquisition request matches the user information; if they do not match, it determines that the fingerprint information matches the user information.
- the authentication information in the key acquisition request does not match the user information.
- user information is not limited to only including user identification information
- verification information is not limited to password information and biometric information.
- the method of obtaining user information and the method of obtaining verification information are not limited to the above-mentioned examples, and the above-mentioned examples are only used for explanation and do not constitute a limitation on this application.
- the secret key acquisition request may also include terminal information of the terminal, and the terminal information may include a unique terminal identifier for identifying the terminal.
- the terminal unique identifier may be, but is not limited to, the physical address of the terminal. Terminal serial number, etc.
- the secret key acquisition request further includes authentication information of the DRM module, and the authentication information may be preset by the developer of the application.
- the DRM server can verify the legitimacy of the DRM module according to the authentication information, which can prevent illegal programs from stealing the secret key information from the DRM server.
- the DRM server After the DRM server confirms that the user has the use authority of the target first business model, it can further determine whether the target first business module can be run on the terminal according to the terminal information, so that the DRM server can only allow users with the use authority The user runs the target first service module on a terminal that meets the preset conditions.
- the preset condition may be, but is not limited to, configuration parameters of the terminal.
- the configuration parameters can be, for example, memory size, CPU model, and so on.
- the target first service module can be operated on a terminal that meets the configuration parameters and meets the requirements, so as to ensure the operation effect of the target first service module.
- the preset condition may be other conditions, which are not limited here.
- the DRM server obtains the secret key information of the target first service module.
- the DRM server stores a plurality of agreed encryption methods of the first service modules.
- the DRM server may obtain the agreed encryption mode corresponding to the target first service module according to the module information in the secret key obtaining request. For example, when the module information includes the service module identifier of the target first service module, the DRM server may obtain the agreed encryption method of the target first service module according to the service module identifier, and then obtain the target first service according to the agreed encryption method The secret key information of the module. The DRM server then sends the secret key information to the terminal.
- the secret key information may include, for example, the agreed encryption method or the decryption algorithm obtained according to the encryption method of the encryption agreement.
- the developer can encrypt the code of the business module of the application program using an agreed encryption method to obtain one or more first business modules, and then the control module, DRM module and one or more of the application program
- the first service module is packaged to obtain the installation package of the application program. Then release the installation package of the application to an application store or other application download platform for users to download.
- an image processing application includes opening a business module, editing a business module, and saving a business module.
- the developer of the image processing application needs to set the usage rights for opening the business module, editing the business module, and saving the business module, the developer can use the agreed encryption method to open the business module, edit the business module, and save the business module.
- the control module, the DRM module, and the open service module, the edit service module, and the save service module that are encrypted together are packaged to obtain the installation package of the image processing application.
- the open service module, edit service module, and save service module that are encrypted together can be understood as a first service module.
- the developer of the image processing application needs to set the usage rights for the open business module, the edit business module and the save business module
- the developer can encrypt the open business module, edit business module and save business module using the agreed encryption method.
- the encrypted open business module can understand a first business module
- the encrypted edit business module can be understood as a first business module
- the encrypted save business module can also be understood as a first business module.
- the application includes Three first business modules.
- the developer can encrypt the code of the business module of the application program using an agreed encryption method to obtain one or more first business modules, and then the control module, DRM module, and one Or multiple first business modules are packaged and digitally signed to obtain the installation package of the application program, and then the installation package of the application program is released to the application store or other application download platform for users to download.
- the developer can package the code of the business module into a new Android Dex file, and encrypt the Dex file using an agreed encryption method.
- the encrypted Dex file includes one or more first business modules.
- the developer packs and signs the encrypted Dex file, control module and DRM module to obtain the installation package of the application.
- the digital signature is used to mark the legitimacy of the application. If an illegal user modifies and repackages a legitimate application, the digital signature will become invalid.
- the terminal can verify whether the application is a legitimate application by verifying whether the digital signature in the installation package of the application is valid.
- the agreed encryption method is the encryption method agreed upon between the developer and the DRM server.
- the agreed encryption method can be provided by the application download platform, pre-stored in the DRM server, or set by the developer.
- the application download platform When the agreed encryption method is provided by the application download platform, the application download platform sends the agreed encryption method to the DRM server, and provides the agreed encryption method to the developer. In this way, the DRM server can obtain the agreed encryption method provided by the application download platform from the application download platform, and the developer can also use the encryption method to encrypt the business modules of the application program through the agreed encryption method provided by the application download platform. For example, when a developer publishes an application whose first business module is encrypted by the agreed encryption method A to the application download platform, the application download platform may send the module information of the first business module and the agreed encryption method A to The DRM server, the DRM server stores the correspondence between the agreed encryption method A and the module information of the first service module in the memory of the DRN server.
- the DRM server receives the encryption method acquisition request sent by the development terminal and provides the agreed encryption method to the development terminal.
- the developer obtains the agreed encryption method through the development terminal, and encrypts the business module according to the agreed encryption method to obtain the first business module.
- the DRM server can obtain the module information of the first business module from the encrypted acquisition request when receiving the encrypted acquisition request, or after the developer completes the application development, obtain the first business feedback from the developer through the development terminal The module information of the module.
- the DRM service obtains the module information of the first business module, it associates the module information of the first business module with the agreed encryption method, and stores it in the memory of the DRM server.
- the developer can use the agreed encryption method set by himself to encrypt the business module to obtain the first business module.
- the developer can send the module information of the first service module and the agreed encryption method to the DRM server through the development terminal, and the DRM server obtains and stores the module information of the first service module and the agreed encryption method.
- the DRM server stores the module information of multiple first service modules and the agreed encryption method corresponding to each module information.
- the DRM server receives the secret key acquisition request sent by the terminal for acquiring the secret key information of the target first service module, the DRM server confirms that the user information corresponds to the user information and module information in the secret key acquisition request. After the user has the right to use the target first service module corresponding to the module information, he queries the memory of the DRM server for the agreed encryption method corresponding to the module information according to the module information, and then obtains the specified encryption method according to the agreed encryption method obtained from the query. The secret key information of the target first service module is sent to the terminal.
- the agreed encryption method can be, but is not limited to, RSA algorithm, Advanced Encryption Standard (AES), Elliptic Curve Digital Signature Algorithm (ECDSA). It should be noted that the example of the above-mentioned agreed encryption method setting scheme is only for explanation and does not constitute a limitation to the application. In other embodiments, other agreed methods may also be used to obtain the agreed encryption method.
- the encryption mode of each first service module may be the same or different.
- the multiple first service modules there are at least two different first service modules that have the same encryption method, so that developers can use the same encryption method to encrypt the service modules that need to be encrypted. Can reduce the number of times the encryption method is agreed upon.
- the DRM module will only use the obtained secret key information to decrypt the target first service module corresponding to the first operation instruction.
- the encryption methods of the first service module P and the first service module Q are the same, and the secret key information obtained by DRM according to the first operation instruction of the first service module P will only be used to decrypt the first service module P. Will be used to decrypt the first service module Q.
- the DRM module can still manage the usage rights of each first service module separately.
- the encryption modes of different first service modules are different. In this way, it can be avoided that after an illegal program intercepts the secret key information corresponding to a first service module, the secret key information is used to decrypt other first service modules, so that the usage rights of each first service module of the application program can be managed more effectively.
- the DRM server sends the secret key information to the terminal.
- the DRM module receives the secret key information sent by the DRM server, and decrypts the service module according to the secret key information.
- the DRM module can obtain the decryption algorithm according to the agreed encryption method, and use the decryption algorithm to decrypt the target first service module to obtain the decrypted service module.
- the DRM module can use the decryption algorithm in the secret key information to decrypt the target first service module to obtain the decrypted target first service module.
- the DRM module can read the Dex file containing the execution code of the target first service module from the application, and decrypt the Dex file by using the secret key information to obtain the decrypted Dex file.
- the DRM module sends an authentication response indicating that the authentication is successful to the control module.
- the terminal After the terminal starts the application program, it first runs the control module, and loads the control module into the Android virtual machine to run.
- the DRM module can load the decrypted Dex file into the virtual machine, so that the control module can control the execution of the service code of the Dex file in the Android virtual machine.
- control module receives the authentication response that the authentication is successful, it controls to run the decrypted target first service module, so as to realize the service function corresponding to the target first service module.
- the DRM module obtains the secret key information of the open service module from the DRM server according to the authentication request sent by the control module, and uses the secret key information to decrypt the open service module to obtain the decrypted Open the business module. Then the DRM module sends an authentication response indicating that the authentication is successful to the control module. After receiving the authentication response, the control module controls the operation of the open service module. In this way, the user can open the picture through the picture processing application, for example, the picture 604 shown in FIG. 9 can be opened.
- an open service module used to realize the function of opening a picture service an editing service module used to realize a function of editing a picture service, and a saving function used to realize the function of saving a picture
- the business module is the first business module encrypted together.
- the DRM module obtains the secret key information of the first service module from the DRM server according to the authentication request sent by the control module, and uses the secret key information to decrypt the open service module, edit service module, and save service module to obtain the decrypted The first business module. Then the DRM module sends an authentication response indicating that the authentication is successful to the control module. After receiving the authentication response, the control module controls the operation of the first service module. In this way, the terminal can enter the main interface of the application program, so that the user can realize the business functions of opening pictures, editing pictures, and saving pictures through the picture processing application program.
- the DRM module since the first service module that needs to be protected is encrypted, even if an illegal user modifies the application code, the DRM module sends an authentication response of successful authentication to the control module, as long as the DRM module does not obtain the first authentication response.
- the secret key information corresponding to the service module cannot decrypt the first service module, so the first service module cannot be run on the terminal.
- the terminal to run the first service module to realize the corresponding service function it must obtain the corresponding secret key information, and the condition for obtaining the secret key information is that the user using the terminal must have the right to use the first service module. In this way, only users who have the right to use the first service module can use the service function of the first service module of the application program, so that the right to use the service function of the application program can be effectively protected.
- An application that supports dynamic loading can be understood as an application that can be loaded multiple times when running the application, instead of having to load all at once and then run the application.
- the application program is an Android program
- a part of the Android program can be loaded to the Android virtual machine (DALVIK) and run, and then a part is loaded to the Android virtual machine and run.
- DALVIK Android virtual machine
- the virtual machine runs in parallel.
- the process of loading and running a part of the application first, and then loading another part of the application and running is the process of dynamic loading.
- Applications that support this loading method are applications that support dynamic loading. .
- the technical solution of the present application is not limited by the operating system.
- This application realizes the protection of the usage rights of the business functions of the application by encrypting the business modules in the application, without relying on the operating system.
- the application can be applied to but not limited to Android system, Windows system, Linux system or other systems capable of supporting dynamically loaded application programs.
- control module and the DRM module can be combined into one module, for example, the control module and the DRM module can be combined into a non-service module. That is, steps 501-503 can be implemented by the non-service module. When the non-service module obtains the user-triggered instruction to run the target first service module, the non-service module sends a secret key acquisition request to the DRM server. The above steps 507 to step 509 can also be implemented by the non-business module.
- the non-business module receives the secret key information sent by the DRM server, decrypts the target first business module according to the secret key information, and when the decryption is successful, controls the operation of the decrypted The target first business module to realize the business function corresponding to the target first business module.
- the terminal includes a trusted execution environment (TEE) and a rich execution environment (REE).
- TEE provides a secure environment for trusted applications (TA), and at the same time protects the confidentiality, integrity, and access rights of TA's resources and data.
- the rich execution environment REE runs an operating system with a terminal, such as Android system, Windows system, etc.
- the control module After the control module obtains the running instruction, the control module loads the DRM module into the TEE, and then sends an authentication request to the DRM module.
- the DRM module sends a secret key acquisition request to the DRM server according to the authentication request in the TEE, and receives secret key information sent by the DRM server, thereby improving the security of the secret key information and avoiding the secret key information being acquired by illegal programs.
- TEE can guarantee the confidentiality, integrity, and access authority of the resources and data of the DRM module, thereby enhancing the security of the use authority management of the right application.
- control module when the control module obtains the operation instruction of the first service module of the operation target triggered by the user, it displays a preset screen on the display screen of the terminal and sends an authentication request to the DRM module.
- the control module receives the authentication response that the authentication is successful sent by the DRN module, the control module stops displaying the preset screen on the terminal, and controls the operation target first service module to realize the service function corresponding to the service module.
- the terminal displays a preset screen, which can prevent the terminal from being unable to run the target first service module immediately due to the secret key information, and causing the user to make mistakes. Think that the application is stuck.
- the application program further includes an unencrypted second service module.
- the encrypted one or more first business modules are used to implement part of the business functions of the application, and the unencrypted business modules are used to implement another part of the business functions of the application.
- the control module obtains the operation instruction for running the second service module triggered by the user, the control module controls the operation of the second service module to realize the service function corresponding to the second service module. In this way, application developers can set the usage rights of some business functions through partial encryption.
- a picture processing application includes an open business module for realizing the business function of opening pictures, an editing business module for realizing the business function of editing pictures, a saving business module for realizing the business function of saving pictures, and a picture splicing module.
- Splicing business modules of business functions are encrypted, and the splicing service module is not encrypted.
- the open service module, edit service module, and save service module can be understood as the first service module, and the splicing service module can be understood as the second service module.
- the interface 1000 includes an open control 1001 corresponding to the open service module, an edit control 1002 corresponding to the edit service module, and a save control corresponding to the save service module. 1003 and a splicing control 1004 corresponding to the splicing service module.
- the first operation instruction is triggered, and the control module can confirm that the first operation is obtained according to the click operation. Run the instructions.
- the second operation instruction is triggered, and the control module can confirm that the second operation instruction is acquired according to the click operation.
- An embodiment of the present application provides a computer storage medium, including computer instructions, which when the computer instructions run on a terminal, cause the terminal to execute the application processing method in any of the foregoing possible embodiments.
- the embodiments of the present application provide a computer program product, which when the computer program product runs on a terminal, causes the terminal to execute the processing method of the application program in any of the above possible embodiments.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Technology Law (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Power Engineering (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Telephone Function (AREA)
Abstract
本申请公开了一种应用程序的处理方法及相关产品。方法包括:当非业务模块获取到用户触发的运行目标第一业务模块的第一运行指令时,终端利用非业务模块向数字版权管理(Digital Rights Management,DRM)服务器发送秘钥获取请求。秘钥获取请求用于请求目标第一业务模块对应的秘钥信息。秘钥信息是DRM服务器确认用户具有目标第一业务模块的使用权限时反馈的。终端利用非业务模块根据秘钥信息对目标第一业务模块进行解密,并执行目标第一业务模块对应的业务功能。
Description
本申请要求于2019年9月29日提交中国专利局、申请号为201910935759.1、申请名称为“应用程序的处理方法及相关产品”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及应用程序技术领域,尤其涉及一种应用程序的处理方法及相关产品。
随着电子技术以及计算机技术的不断发展,手机、平板电脑、智能可穿戴设备等终端已得到普及。终端通过各种应用程序可以帮助用户实现各种各样的功能。应用程序的版权保护也逐渐受到重视。
目前,对应用程序的版权保护主要是针对应用程序的使用权限的保护,具体的保护方式是,应用程序包括数字版权管理(digital rights management,DRM)模块和业务模块,DRM模块用于对业务模块的使用权限进行管理,业务模块用于实现应用程序的业务功能,例如图片处理应用程序的业务模块用于实现图片处理功能。终端响应于用户的操作启动应用程序时,先由该应用程序的DRM模块向DRM服务器请求获取DRM签名,在该应用程序的DRM模块获取到DRM签名后,DRM模块校验DRM签名是否有效,如有效则DRM模块返回DRM鉴权成功的鉴权结果给该应用程序的业务模块。业务模块接收到鉴权成功的鉴权结果之后,实现该应用程序的业务功能。但是,若采用这种保护方式,未授权的用户只需要修改DRM模块返回的鉴权结果为鉴权成功,即可随意运行该应用程序的业务模块以实现该应用程序的业务功能,这样,对应用程序的业务功能的使用权限的保护方式存在较大的漏洞。
发明内容
本申请提供了一种应用程序的处理方法及相关产品,可以有效地对应用程序的业务模块的使用权限进行保护。
第一方面,本申请提供了一种应用程序的处理方法,所述应用程序包括一个或多个加密的第一业务模块和未加密的非业务模块。所述方法包括:首先,当所述非业务模块获取到用户触发的运行目标第一业务模块的第一运行指令时,终端利用所述非业务模块向数字版权管理(Digital Rights Management,DRM)服务器发送秘钥获取请求。所述秘钥获取请求,用于请求所述目标第一业务模块对应的秘钥信息。其中,所述秘钥信息是所述DRM服务器在确认所述用户具有所述目标第一业务模块的使用权限时反馈的。然后,所述终端利用所述非业务模块获取所述DRM服务器发送的所述秘钥信息。所述终端利用所述非业务模块根据所述秘钥信息对所述目标第一业务模块进行解密,并执行所述目标第一业务模块对应的业务功能。
本申请的技术方案中,由于需要被保护的第一业务模块是加密的,终端要运行第一业 务模块以实现该对应的业务功能,须获得对应的秘钥信息,而获得秘钥信息的条件是使用该终端的用户须具备该第一业务模块的使用权限。这样,可以使得只有具备第一业务模块的使用权限的用户才能使用该应用程序的第一业务模块的业务功能,从而可以有效地对应用程序的业务功能的使用权限进行保护。
在一些可能的实施方式中,所述秘钥获取请求包括所述用户的用户信息和所述目标第一业务模块的模块信息,以用于所述DRM服务器根据所述用户信息查询所述用户的应用程序权限信息,并根据所述应用程序权限信息以及所述模块信息确定判断所述用户是否具有所述目标第一业务模块的使用权限。如此,DRM服务器可以根据用户信息查找到该用户对应的应用程序权限信息,从而使得DRM服务器可以权限库中每个用户的应用程序权限信息,对每个用户使用应用程序的业务模块的使用权限进行管控。
在一些可能的实施方式中,所述秘钥获取请求还包括所述用户提供的与所述用户信息对应的验证信息,所述验证信息用于DRM服务器在所述查询步骤之前,确认所述用户信息与所述验证信息匹配。这样DRM服务器可以验证该第一运行指令是不是由该用户信息对应的用户触发的,避免非法用户获得具备该目标第一业务模块的使用权限的第一用户的户信息之后,利用该第一用户的用户信息从DRM服务器获得目标第一业务模块的秘钥信息。
在一些可能的实施方式中,所述终端利用所述非业务模块向DRM服务器发送秘钥获取请求之前,所述方法还包括:所述终端利用所述非业务模块确定所述终端中不具有所述目标第一业务模块对应的秘钥信息。那么,当终端中具有所述目标第一业务模块对应的秘钥信息时,非业务模块则可以不必向DRM服务器发送秘钥获取请求,而是可以利用终端中的秘钥信息对目标第一业务模块进行解密,这样终端可以更快速地运行目标第一业务模块。
在一些可能的实施方式中,所述应用程序还包括未加密的第二业务模块;所述方法还包括:当所述非业务模块获取到用户触发的运行所述第二业务模块的第二运行指令时,所述终端通过所述非业务模块执行所述第二业务模块对应的业务功能。其中一个或多个第一业务模块用于实现应用程序的一部分业务功能,第二业务模块用于实现应用程序的另一部分业务功能。这样可以实现仅对应用程序的部分业务功能的使用权限进行管控,使得应用程序的权限管理方式更加灵活。
在一些可能的实施方式中,所述非业务模块包括控制模块和DRM模块;所述终端利用所述非业务模块向DRM服务器发送秘钥获取请求,具体包括:所述终端利用所述控制模块向所述DRM模块发送鉴权请求;和所述终端利用所述DRM模块根据所述鉴权请求向DRM服务器发送秘钥获取请求。所述终端利用所述非业务模块接收所述DRM服务器发送的秘钥信息,具体包括:所述终端利用所述DRM模块接收所述DRM服务器发送的秘钥信息。所述终端利用所述非业务模块根据所述秘钥信息对所述目标第一业务模块进行解密,并执行所述目标第一业务模块对应的业务功能包括:所述终端利用所述DRM模块根据所述秘钥信息对所述目标第一业务模块进行解密,并在解密成功时发送鉴权成功的鉴权响应至所述控制模块;和在所述控制模块接收到所述鉴权成功的鉴权响应时,所述终端利用所述控制模块执行所述目标第一业务模块对应的业务功能。如此,由于需要被保护的第一业 务模块是加密的,即使非法用户通过修改应用程序代码,使得DRM模块发送鉴权成功的鉴权结果给控制模块,只要DRM模块没有获得第一业务模块的秘钥信息,就无法对第一业务模块进行解密,从而可以使得只有具备权限的用户才能使用第一业务模块对应的业务功能,有效地保护应用程序的业务功能的使用权限。
在一些可能的实施方式中,所述终端利用所述控制模块向所述DRM模块发送鉴权请求包括:所述终端显示预设画面,并通过所述控制模块向所述DRM模块发送鉴权请求。所述在所述控制模块接收到所述鉴权成功的鉴权响应时,所述终端利用所述控制模块执行所述目标第一业务模块对应的业务功能,具体包括:在所述控制模块接收到鉴权成功的鉴权响应时,所述终端停止显示所述预设画面,并利用所述控制模块执行所述目标第一业务模块对应的业务功能。这样,在DRM模块发送秘钥获取请求,请求DRM服务器下发秘钥信息的过程中,终端显示预设画面,可以避免终端因获取秘钥信息无法马上运行目标第一业务模块,而让用户误认为应用程序卡顿。
第二方面,本申请提供了一种终端,包括显示屏、存储器、一个或多个处理器,以及多个应用程序。存储其中存储一个或多个程序,一个或多个处理器运行所述一个或多个程序时,使得终端执行上述第一方面任一项可能的实施方式中的应用程序的处理方法。
第三方面,本申请实施例提供了一种计算机存储介质,包括计算机指令,当计算机指令在终端上运行时,使得终端执行上述第一方面任一项可能的实施方式中的应用程序的处理方法。
第四方面,本申请实施例提供了一种计算机程序产品,当计算机程序产品在终端上运行时,使得终端执行上述第一方面任一项可能的实施方式中的应用程序的处理方法。
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍。
图1为本申请实施例的网络架构示意图;
图2为本申请实施例提供的终端的结构示意图;
图3为本申请实施例提供的终端的软件结构框图;
图4为现有技术的应用程序的鉴权方法的流程示意图;
图5为本申请实施例提供的应用程序的处理方法的流程示意图;
图6为本申请实施例提供的应用程序的处理方法的应用场景示意图;
图7为本申请实施例提供的应用程序的处理方法的另一应用场景示意图;
图8为本申请实施例提供的应用程序的处理方法的又一应用场景示意图;
图9为本申请实施例提供的应用程序的处理方法的再一应用场景示意图;
图10为本申请实施例提供的应用程序的处理方法的再又一应用场景示意图。
下面将结合附图对本申请实施例中的技术方案进行清除、详尽地描述。其中,在本申请实施例的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B;文本中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,另外,在本申请实施例的描述中,“多个”是指两个或多于两个。
以下,术语“第一”、“第二”仅用于描述目的,而不能理解为暗示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征,在本申请实施例的描述中,除非另有说明,“多个”的含义是两个或两个以上。
请参阅图1,图1为本申请实施例提供的一种网络架构图。如图1所示,该网络架构100包括终端10、数字版权管理(DRM)服务器20和通信链路30。通信链路30可以是有线通信链路也可以是无线通信链路。
终端10可以包括但不限于个人电脑、智能手机、智能穿戴设备、智能电视、平板电脑、个人数字助理等等。
图2示出了终端10的结构示意图。
下面以终端10为例对实施例进行具体说明。应该理解的是,图2所示终端10仅是一个范例,并且终端10可以具有比图2中所示的更多的或者更少的部件,可以组合两个或多个的部件,或者可以具有不同的部件配置。图中所示出的各种部件可以在包括一个或多个信号处理和/或专用集成电路在内的硬件、软件、或硬件和软件的组合中实现。
终端10可以包括:处理器110,外部存储器接口120,内部存储器121,通用串行总线(universal serial bus,USB)接口130,充电管理模块140,电源管理模块141,电池142,天线1,天线2,移动通信模块150,无线通信模块160,音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,传感器模块180,按键190,马达191,指示器192,摄像头193,显示屏194,以及用户标识模块(subscriber identification module,SIM)卡接口195等。其中传感器模块180可以包括压力传感器180A,陀螺仪传感器180B,气压传感器180C,磁传感器180D,加速度传感器180E,距离传感器180F,接近光传感器180G,指纹传感器180H,温度传感器180J,触摸传感器180K,环境光传感器180L,骨传导传感器180M等。
可以理解的是,本发明实施例示意的结构并不构成对终端10的具体限定。在本申请另一些实施例中,终端10可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。
处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器,存储器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。
其中,控制器可以是终端10的神经中枢和指挥中心。控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。
处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器为高速缓冲存储器。该存储器可以保存处理器110刚用过或循环使用的指令或数据。如果处理器110需要再次使用该指令或数据,可从所述存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。
在一些实施例中,处理器110可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit,I2C)接口,集成电路内置音频(inter-integrated circuit sound,I2S)接口,脉冲编码调制(pulse code modulation,PCM)接口,通用异步收发传输器(universal asynchronous receiver/transmitter,UART)接口,移动产业处理器接口(mobile industry processor interface,MIPI),通用输入输出(general-purpose input/output,GPIO)接口,用户标识模块(subscriber identity module,SIM)接口,和/或通用串行总线(universal serial bus,USB)接口等。
I2C接口是一种双向同步串行总线,包括一根串行数据线(serial data line,SDA)和一根串行时钟线(derail clock line,SCL)。在一些实施例中,处理器110可以包含多组I2C总线。处理器110可以通过不同的I2C总线接口分别耦合触摸传感器180K,充电器,闪光灯,摄像头193等。例如:处理器110可以通过I2C接口耦合触摸传感器180K,使处理器110与触摸传感器180K通过I2C总线接口通信,实现终端10的触摸功能。
I2S接口可以用于音频通信。在一些实施例中,处理器110可以包含多组I2S总线。处理器110可以通过I2S总线与音频模块170耦合,实现处理器110与音频模块170之间的通信。在一些实施例中,音频模块170可以通过I2S接口向无线通信模块160传递音频信号,实现通过蓝牙耳机接听电话的功能。
PCM接口也可以用于音频通信,将模拟信号抽样,量化和编码。在一些实施例中,音频模块170与无线通信模块160可以通过PCM总线接口耦合。在一些实施例中,音频模块170也可以通过PCM接口向无线通信模块160传递音频信号,实现通过蓝牙耳机接听电话的功能。所述I2S接口和所述PCM接口都可以用于音频通信。
UART接口是一种通用串行数据总线,用于异步通信。该总线可以为双向通信总线。它将要传输的数据在串行通信与并行通信之间转换。在一些实施例中,UART接口通常被用于连接处理器110与无线通信模块160。例如:处理器110通过UART接口与无线通信模块160中的蓝牙模块通信,实现蓝牙功能。在一些实施例中,音频模块170可以通过UART接口向无线通信模块160传递音频信号,实现通过蓝牙耳机播放音乐的功能。
MIPI接口可以被用于连接处理器110与显示屏194,摄像头193等外围器件。MIPI接口包括摄像头串行接口(camera serial interface,CSI),显示屏串行接口(display serial interface,DSI)等。在一些实施例中,处理器110和摄像头193通过CSI接口通信,实现终端10的拍摄功能。处理器110和显示屏194通过DSI接口通信,实现终端10的显示功能。
GPIO接口可以通过软件配置。GPIO接口可以被配置为控制信号,也可被配置为数据信号。在一些实施例中,GPIO接口可以用于连接处理器110与摄像头193,显示屏194,无线通信模块160,音频模块170,传感器模块180等。GPIO接口还可以被配置为I2C接 口,I2S接口,UART接口,MIPI接口等。
USB接口130是符合USB标准规范的接口,具体可以是Mini USB接口,Micro USB接口,USB Type C接口等。USB接口130可以用于连接充电器为终端10充电,也可以用于终端10与外围设备之间传输数据。也可以用于连接耳机,通过耳机播放音频。该接口还可以用于连接其他电子设备,例如AR设备等。
可以理解的是,本发明实施例示意的各模块间的接口连接关系,只是示意性说明,并不构成对终端10的结构限定。在本申请另一些实施例中,终端10也可以采用上述实施例中不同的接口连接方式,或多种接口连接方式的组合。
充电管理模块140用于从充电器接收充电输入。其中,充电器可以是无线充电器,也可以是有线充电器。在一些有线充电的实施例中,充电管理模块140可以通过USB接口130接收有线充电器的充电输入。在一些无线充电的实施例中,充电管理模块140可以通过终端10的无线充电线圈接收无线充电输入。充电管理模块140为电池142充电的同时,还可以通过电源管理模块141为电子设备供电。
电源管理模块141用于连接电池142,充电管理模块140与处理器110。电源管理模块141接收电池142和/或充电管理模块140的输入,为处理器110,内部存储器121,外部存储器,显示屏194,摄像头193,和无线通信模块160等供电。电源管理模块141还可以用于监测电池容量,电池循环次数,电池健康状态(漏电,阻抗)等参数。在其他一些实施例中,电源管理模块141也可以设置于处理器110中。在另一些实施例中,电源管理模块141和充电管理模块140也可以设置于同一个器件中。
终端10的无线通信功能可以通过天线1,天线2,移动通信模块150,无线通信模块160,调制解调处理器以及基带处理器等实现。
天线1和天线2用于发射和接收电磁波信号。终端10中的每个天线可用于覆盖单个或多个通信频带。不同的天线还可以复用,以提高天线的利用率。例如:可以将天线1复用为无线局域网的分集天线。在另外一些实施例中,天线可以和调谐开关结合使用。
移动通信模块150可以提供应用在终端10上的包括2G/3G/4G/5G等无线通信的解决方案。移动通信模块150可以包括至少一个滤波器,开关,功率放大器,低噪声放大器(low noise amplifier,LNA)等。移动通信模块150可以由天线1接收电磁波,并对接收的电磁波进行滤波,放大等处理,传送至调制解调处理器进行解调。移动通信模块150还可以对经调制解调处理器调制后的信号放大,经天线1转为电磁波辐射出去。在一些实施例中,移动通信模块150的至少部分功能模块可以被设置于处理器110中。在一些实施例中,移动通信模块150的至少部分功能模块可以与处理器110的至少部分模块被设置在同一个器件中。
调制解调处理器可以包括调制器和解调器。其中,调制器用于将待发送的低频基带信号调制成中高频信号。解调器用于将接收的电磁波信号解调为低频基带信号。随后解调器将解调得到的低频基带信号传送至基带处理器处理。低频基带信号经基带处理器处理后,被传递给应用处理器。应用处理器通过音频设备(不限于扬声器170A,受话器170B等)输出声音信号,或通过显示屏194显示图像或视频。在一些实施例中,调制解调处理器可以是独立的器件。在另一些实施例中,调制解调处理器可以独立于处理器110,与移动通信 模块150或其他功能模块设置在同一个器件中。
无线通信模块160可以提供应用在终端10上的包括无线局域网(wireless local area networks,WLAN)(如无线保真(wireless fidelity,Wi-Fi)网络),蓝牙(bluetooth,BT),全球导航卫星系统(global navigation satellite system,GNSS),调频(frequency modulation,FM),近距离无线通信技术(near field communication,NFC),红外技术(infrared,IR)等无线通信的解决方案。无线通信模块160可以是集成至少一个通信处理模块的一个或多个器件。无线通信模块160经由天线2接收电磁波,将电磁波信号调频以及滤波处理,将处理后的信号发送到处理器110。无线通信模块160还可以从处理器110接收待发送的信号,对其进行调频,放大,经天线2转为电磁波辐射出去。
在一些实施例中,终端10的天线1和移动通信模块150耦合,天线2和无线通信模块160耦合,使得终端10可以通过无线通信技术与网络以及其他设备通信。所述无线通信技术可以包括全球移动通讯系统(global system for mobile communications,GSM),通用分组无线服务(general packet radio service,GPRS),码分多址接入(code division multiple access,CDMA),宽带码分多址(wideband code division multiple access,WCDMA),时分码分多址(time-division code division multiple access,TD-SCDMA),长期演进(long term evolution,LTE),BT,GNSS,WLAN,NFC,FM,和/或IR技术等。所述GNSS可以包括全球卫星定位系统(global positioning system,GPS),全球导航卫星系统(global navigation satellite system,GLONASS),北斗卫星导航系统(beidou navigation satellite system,BDS),准天顶卫星系统(quasi-zenith satellite system,QZSS)和/或星基增强系统(satellite based augmentation systems,SBAS)。
终端10通过GPU,显示屏194,以及应用处理器等实现显示功能。GPU为图像处理的微处理器,连接显示屏194和应用处理器。GPU用于执行数学和几何计算,用于图形渲染。处理器110可包括一个或多个GPU,其执行程序指令以生成或改变显示信息。
显示屏194用于显示图像,视频等。显示屏194包括显示面板。显示面板可以采用液晶显示屏(liquid crystal display,LCD),有机发光二极管(organic light-emitting diode,OLED),有源矩阵有机发光二极体或主动矩阵有机发光二极体(active-matrix organic light emitting diode的,AMOLED),柔性发光二极管(flex light-emitting diode,FLED),Miniled,MicroLed,Micro-oLed,量子点发光二极管(quantum dot light emitting diodes,QLED)等。在一些实施例中,终端10可以包括1个或N个显示屏194,N为大于1的正整数。
终端10可以通过ISP,摄像头193,视频编解码器,GPU,显示屏194以及应用处理器等实现拍摄功能。
ISP用于处理摄像头193反馈的数据。例如,拍照时,打开快门,光线通过镜头被传递到摄像头感光元件上,光信号转换为电信号,摄像头感光元件将所述电信号传递给ISP处理,转化为肉眼可见的图像。ISP还可以对图像的噪点,亮度,肤色进行算法优化。ISP还可以对拍摄场景的曝光,色温等参数优化。在一些实施例中,ISP可以设置在摄像头193中。
摄像头193用于捕获静态图像或视频。物体通过镜头生成光学图像投射到感光元件。感光元件可以是电荷耦合器件(charge coupled device,CCD)或互补金属氧化物半导体 (complementary metal-oxide-semiconductor,CMOS)光电晶体管。感光元件把光信号转换成电信号,之后将电信号传递给ISP转换成数字图像信号。ISP将数字图像信号输出到DSP加工处理。DSP将数字图像信号转换成标准的RGB,YUV等格式的图像信号。在一些实施例中,终端10可以包括1个或N个摄像头193,N为大于1的正整数。
数字信号处理器用于处理数字信号,除了可以处理数字图像信号,还可以处理其他数字信号。例如,当终端10在频点选择时,数字信号处理器用于对频点能量进行傅里叶变换等。
视频编解码器用于对数字视频压缩或解压缩。终端10可以支持一种或多种视频编解码器。这样,终端10可以播放或录制多种编码格式的视频,例如:动态图像专家组(moving picture experts group,MPEG)1,MPEG2,MPEG3,MPEG4等。
NPU为神经网络(neural-network,NN)计算处理器,通过借鉴生物神经网络结构,例如借鉴人脑神经元之间传递模式,对输入信息快速处理,还可以不断的自学习。通过NPU可以实现终端10的智能认知等应用,例如:图像识别,人脸识别,语音识别,文本理解等。
外部存储器接口120可以用于连接外部存储卡,例如Micro SD卡,实现扩展终端10的存储能力。外部存储卡通过外部存储器接口120与处理器110通信,实现数据存储功能。例如将音乐,视频等文件保存在外部存储卡中。
内部存储器121可以用于存储计算机可执行程序代码,所述可执行程序代码包括指令。处理器110通过运行存储在内部存储器121的指令,从而执行终端10的各种功能应用以及数据处理。内部存储器121可以包括存储程序区和存储数据区。其中,存储程序区可存储操作系统,至少一个功能所需的应用程序(比如声音播放功能,图像播放功能等)等。存储数据区可存储终端10使用过程中所创建的数据(比如音频数据,电话本等)等。此外,内部存储器121可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件,闪存器件,通用闪存存储器(universal flash storage,UFS)等。
终端10可以通过音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,以及应用处理器等实现音频功能。例如音乐播放,录音等。
音频模块170用于将数字音频信息转换成模拟音频信号输出,也用于将模拟音频输入转换为数字音频信号。音频模块170还可以用于对音频信号编码和解码。在一些实施例中,音频模块170可以设置于处理器110中,或将音频模块170的部分功能模块设置于处理器110中。
扬声器170A,也称“喇叭”,用于将音频电信号转换为声音信号。终端10可以通过扬声器170A收听音乐,或收听免提通话。
受话器170B,也称“听筒”,用于将音频电信号转换成声音信号。当终端10接听电话或语音信息时,可以通过将受话器170B靠近人耳接听语音。
麦克风170C,也称“话筒”,“传声器”,用于将声音信号转换为电信号。当拨打电话或发送语音信息时,用户可以通过人嘴靠近麦克风170C发声,将声音信号输入到麦克风170C。终端10可以设置至少一个麦克风170C。在另一些实施例中,终端10可以设置两个麦克风170C,除了采集声音信号,还可以实现降噪功能。在另一些实施例中,终端10还可以设置三个,四个或更多麦克风170C,实现采集声音信号,降噪,还可以识别声音来源, 实现定向录音功能等。
耳机接口170D用于连接有线耳机。耳机接口170D可以是USB接口130,也可以是3.5mm的开放移动电子设备平台(open mobile terminal platform,OMTP)标准接口,美国蜂窝电信工业协会(cellular telecommunications industry association of the USA,CTIA)标准接口。
压力传感器180A用于感受压力信号,可以将压力信号转换成电信号。在一些实施例中,压力传感器180A可以设置于显示屏194。压力传感器180A的种类很多,如电阻式压力传感器,电感式压力传感器,电容式压力传感器等。电容式压力传感器可以是包括至少两个具有导电材料的平行板。当有力作用于压力传感器180A,电极之间的电容改变。终端10根据电容的变化确定压力的强度。当有触摸操作作用于显示屏194,终端10根据压力传感器180A检测所述触摸操作强度。终端10也可以根据压力传感器180A的检测信号计算触摸的位置。在一些实施例中,作用于相同触摸位置,但不同触摸操作强度的触摸操作,可以对应不同的操作指令。例如:当有触摸操作强度小于第一压力阈值的触摸操作作用于短消息应用图标时,执行查看短消息的指令。当有触摸操作强度大于或等于第一压力阈值的触摸操作作用于短消息应用图标时,执行新建短消息的指令。
陀螺仪传感器180B可以用于确定终端10的运动姿态。在一些实施例中,可以通过陀螺仪传感器180B确定终端10围绕三个轴(即,x,y和z轴)的角速度。陀螺仪传感器180B可以用于拍摄防抖。示例性的,当按下快门,陀螺仪传感器180B检测终端10抖动的角度,根据角度计算出镜头模组需要补偿的距离,让镜头通过反向运动抵消终端10的抖动,实现防抖。陀螺仪传感器180B还可以用于导航,体感游戏场景。
气压传感器180C用于测量气压。在一些实施例中,终端10通过气压传感器180C测得的气压值计算海拔高度,辅助定位和导航。
磁传感器180D包括霍尔传感器。终端10可以利用磁传感器180D检测翻盖皮套的开合。在一些实施例中,当终端10是翻盖机时,终端10可以根据磁传感器180D检测翻盖的开合。进而根据检测到的皮套的开合状态或翻盖的开合状态,设置翻盖自动解锁等特性。
加速度传感器180E可检测终端10在各个方向上(一般为三轴)加速度的大小。当终端10静止时可检测出重力的大小及方向。还可以用于识别电子设备姿态,应用于横竖屏切换,计步器等应用。
距离传感器180F,用于测量距离。终端10可以通过红外或激光测量距离。在一些实施例中,拍摄场景,终端10可以利用距离传感器180F测距以实现快速对焦。
接近光传感器180G可以包括例如发光二极管(LED)和光检测器,例如光电二极管。发光二极管可以是红外发光二极管。终端10通过发光二极管向外发射红外光。终端10使用光电二极管检测来自附近物体的红外反射光。当检测到充分的反射光时,可以确定终端10附近有物体。当检测到不充分的反射光时,终端10可以确定终端10附近没有物体。终端10可以利用接近光传感器180G检测用户手持终端10贴近耳朵通话,以便自动熄灭屏幕达到省电的目的。接近光传感器180G也可用于皮套模式,口袋模式自动解锁与锁屏。
环境光传感器180L用于感知环境光亮度。终端10可以根据感知的环境光亮度自适应调节显示屏194亮度。环境光传感器180L也可用于拍照时自动调节白平衡。环境光传感器180L还可以与接近光传感器180G配合,检测终端10是否在口袋里,以防误触。
指纹传感器180H用于采集指纹。终端10可以利用采集的指纹特性实现指纹解锁,访问应用锁,指纹拍照,指纹接听来电等。
温度传感器180J用于检测温度。在一些实施例中,终端10利用温度传感器180J检测的温度,执行温度处理策略。例如,当温度传感器180J上报的温度超过阈值,终端10执行降低位于温度传感器180J附近的处理器的性能,以便降低功耗实施热保护。在另一些实施例中,当温度低于另一阈值时,终端10对电池142加热,以避免低温导致终端10异常关机。在其他一些实施例中,当温度低于又一阈值时,终端10对电池142的输出电压执行升压,以避免低温导致的异常关机。
触摸传感器180K,也称“触控面板”。触摸传感器180K可以设置于显示屏194,由触摸传感器180K与显示屏194组成触摸屏,也称“触控屏”。触摸传感器180K用于检测作用于其上或附近的触摸操作。触摸传感器可以将检测到的触摸操作传递给应用处理器,以确定触摸事件类型。可以通过显示屏194提供与触摸操作相关的视觉输出。在另一些实施例中,触摸传感器180K也可以设置于终端10的表面,与显示屏194所处的位置不同。
骨传导传感器180M可以获取振动信号。在一些实施例中,骨传导传感器180M可以获取人体声部振动骨块的振动信号。骨传导传感器180M也可以接触人体脉搏,接收血压跳动信号。在一些实施例中,骨传导传感器180M也可以设置于耳机中,结合成骨传导耳机。音频模块170可以基于所述骨传导传感器180M获取的声部振动骨块的振动信号,解析出语音信号,实现语音功能。应用处理器可以基于所述骨传导传感器180M获取的血压跳动信号解析心率信息,实现心率检测功能。
按键190包括开机键,音量键等。按键190可以是机械按键。也可以是触摸式按键。终端10可以接收按键输入,产生与终端10的用户设置以及功能控制有关的键信号输入。
马达191可以产生振动提示。马达191可以用于来电振动提示,也可以用于触摸振动反馈。例如,作用于不同应用(例如拍照,音频播放等)的触摸操作,可以对应不同的振动反馈效果。作用于显示屏194不同区域的触摸操作,马达191也可对应不同的振动反馈效果。不同的应用场景(例如:时间提醒,接收信息,闹钟,游戏等)也可以对应不同的振动反馈效果。触摸振动反馈效果还可以支持自定义。
指示器192可以是指示灯,可以用于指示充电状态,电量变化,也可以用于指示消息,未接来电,通知等。
SIM卡接口195用于连接SIM卡。SIM卡可以通过插入SIM卡接口195,或从SIM卡接口195拔出,实现和终端10的接触和分离。终端10可以支持1个或N个SIM卡接口,N为大于1的正整数。SIM卡接口195可以支持Nano SIM卡,Micro SIM卡,SIM卡等。同一个SIM卡接口195可以同时插入多张卡。所述多张卡的类型可以相同,也可以不同。SIM卡接口195也可以兼容不同类型的SIM卡。SIM卡接口195也可以兼容外部存储卡。终端10通过SIM卡和网络交互,实现通话以及数据通信等功能。在一些实施例中,终端10采用eSIM,即:嵌入式SIM卡。eSIM卡可以嵌在终端10中,不能和终端10分离。
终端10的软件系统可以采用分层架构,事件驱动架构,微核架构,微服务架构,或云架构。本发明实施例以分层架构的Android系统为例,示例性说明终端10的软件结构。
图3是本发明实施例的终端10的软件结构框图。
分层架构将软件分成若干个层,每一层都有清晰的角色和分工。层与层之间通过软件接口通信。在一些实施例中,将Android系统分为四层,从上至下分别为应用程序层,应用程序框架层,安卓运行时(Android runtime)和系统库,以及内核层。
应用程序层可以包括一系列应用程序包。
如图3所示,其中一个应用程序包括控制模块,DRM模块和加密的一个或多个第一业务模块,第一业务模块用于实现该应用程序的业务功能,控制模块用于控制DRM模块对该第一业务模块进行解密并在解密之后控制运行该第一业务模块。控制模块例如可包括Application类及其调用的初始化代码,例如读取配置项、初始化数据库连接等。
应用程序框架层为应用程序层的应用程序提供应用编程接口(application programming interface,API)和编程框架。应用程序框架层包括一些预先定义的函数。
如图3所示,应用程序框架层可以包括窗口管理器,内容提供器,视图系统,电话管理器,资源管理器,通知管理器等。
窗口管理器用于管理窗口程序。窗口管理器可以获取显示屏大小,判断是否有状态栏,锁定屏幕,截取屏幕等。
内容提供器用来存放和获取数据,并使这些数据可以被应用程序访问。所述数据可以包括视频,图像,音频,拨打和接听的电话,浏览历史和书签,电话簿等。
视图系统包括可视控件,例如显示文字的控件,显示图片的控件等。视图系统可用于构建应用程序。显示界面可以由一个或多个视图组成的。例如,包括短信通知图标的显示界面,可以包括显示文字的视图以及显示图片的视图。
电话管理器用于提供终端10的通信功能。例如通话状态的管理(包括接通,挂断等)。
资源管理器为应用程序提供各种资源,比如本地化字符串,图标,图片,布局文件,视频文件等等。
通知管理器使应用程序可以在状态栏中显示通知信息,可以用于传达告知类型的消息,可以短暂停留后自动消失,无需用户交互。比如通知管理器被用于告知下载完成,消息提醒等。通知管理器还可以是以图表或者滚动条文本形式出现在系统顶部状态栏的通知,例如后台运行的应用程序的通知,还可以是以对话窗口形式出现在屏幕上的通知。例如在状态栏提示文本信息,发出提示音,电子设备振动,指示灯闪烁等。
Android Runtime包括核心库和虚拟机。Android runtime负责安卓系统的调度和管理。
核心库包含两部分:一部分是java语言需要调用的功能函数,另一部分是安卓的核心库。
应用程序层和应用程序框架层运行在安卓虚拟机中(DALVIK)。安卓虚拟机将应用程序层和应用程序框架层的java文件执行为二进制文件。安卓虚拟机用于执行对象生命周期的管理,堆栈管理,线程管理,安全和异常的管理,以及垃圾回收等功能。
系统库可以包括多个功能模块。例如:表面管理器(surface manager),媒体库(Media Libraries),三维图形处理库(例如:OpenGL ES),2D图形引擎(例如:SGL)等。
表面管理器用于对显示子系统进行管理,并且为多个应用程序提供了2D和3D图层的融合。
媒体库支持多种常用的音频,视频格式回放和录制,以及静态图像文件等。媒体库可以支持多种音视频编码格式,例如:MPEG4,H.264,MP3,AAC,AMR,JPG,PNG等。
三维图形处理库用于实现三维图形绘图,图像渲染,合成,和图层处理等。
2D图形引擎是2D绘图的绘图引擎。
内核层是硬件和软件之间的层。内核层至少包含显示驱动,摄像头驱动,音频驱动,传感器驱动。
数字版权管理(Digital Rights Management,DRM),指的是出版者用来控制被保护对象的使用权的一些技术,用于对数字化内容(例如:软件、音乐、电影)以及处理数字化产品的使用权限进行管理。DRM保护技术使用以后可以控制和限制这些数字化内容的使用权。相关技术中,对软件或应用程序的版权保护的关键是防止未授权用户执行受保护的应用程序部分或全部功能,也即对软件或应用程序的版权保护的关键是对软件或应用程序的使用权限进行管理,而并不限制软件/应用程序的复制。
在现有技术中,为了防止未授权用户利用终端使用受保护的应用程序实现该应用程序对应的功能,通常是采用数字签名的方式来对应用程序进行数字版权管理。如图4所示,图4是现有技术中的应用程序数字版权管理的流程示意图,应用程序包括DRM模块和业务模块。DRM模块用于通过管理业务模块的使用权限对业务模块进行版权保护,业务模块用于实现该应用程序的业务功能,例如图片处理应用软件的业务模块用于实现图片处理的功能。具体的版权保护方式为:
S401、终端的业务模块获取用户针对应用程序的启动操作。
S402、终端响应于用户针对应用程序的启动操作启动应用程序,应用程序中的业务模块向DRM模块发送鉴权请求,鉴权请求用于指示DRN模块鉴定该用户是否具备该业务模块的使用权限。
S403、DRM模块根据鉴权请求,发送DRM签名获取请求至DRM服务器。
S404、DRM服务器在确认该用户购买了该应用程序之后,向终端发送该应用程序的DRM签名。
S405、DRM模块验证DRM签名是否合法;
S406、若DRM签名合法,则DRM模块发送鉴权成功的鉴权结果给业务模块;若DRM签名不合法,则DRM模块发送鉴权失败的鉴权结果给业务模块。
S407;业务模块接收到鉴权成功的鉴权结果时,执行应用程序对应的业务功能。
由此可见,在上述方案中,业务模块是根据鉴权结果来确认是否执行对应的业务功能,这样未授权的用户可通非法手段修改DRM模块发送给业务模块的验证结果为验证成功,那么即使DRM模块没有获取到DRM签名,业务模块仍然可以正常运行。未授权的用户只需要修改DRM模块发送给业务模块的验证结果即可以随意使用应用程序的业务功能,应用程序业务模块的使用权限无法得到保护。
基于上述问题,本申请提供了一种应用程序的处理方法,该应用程序包括控制模块、DRM模块和一个或多个加密的第一业务模块。控制模块和DRM模块是未加密的。控制模块用于控制第一业务模块的运行以实现应用程序的部分或全部业务功能。例如图片处理应 用程序的业务功能包括打开图片、编辑图片和保存图片。DRM模块用于获取第一业务模块的秘钥并对第一业务模块进行解密。
在该方法中,当应用程序的控制模块获取到用户触发的运行目标第一业务模块的第一运行指令时,控制模块向DRM模块发送鉴权请求。DRM模块根据鉴权请求向DRM服务器发送秘钥获取请求。其中,秘钥获取请求中可包含该用户的用户信息和该目标第一业务模块的模块信息。DRM服务器在根据该用户信息和该模块信息确认该用户具备该目标第一业务模块的使用权限之后,向终端发送该目标第一业务模块的秘钥信息。DRM模块获取到秘钥信息之后对该目标第一业务模块进行解密并在解密成功时发送鉴权成功鉴权响应给控制模块。控制模块再执行该目标第一业务模块对应的业务功能。如此,由于需要被保护的第一业务模块是加密的,即使非法用户通过修改应用程序代码,使得DRM模块发送鉴权成功的鉴权结果给控制模块,只要DRM模块没有获得第一业务模块的秘钥信息,就无法对第一业务模块进行解密,从而可以使得只有具备权限的用户才能使用第一业务模块对应的业务功能,有效地保护应用程序的业务功能的使用权限。
需要说明的是,本申请实施例中,控制模块和DRM模块可以合并一个模块,例如,控制模块和DRM模块可以合并为非业务模块。这样,当非业务模块获取到用户触发的运行目标第一业务模块的第一运行指令时,终端利用非业务模块向DRM服务器发送秘钥获取请求。该秘钥获取请求用于请求DRM服务器在确认该用户具有目标第一业务模块的使用权限时,返回目标第一业务模块的秘钥信息。利用非业务模块获取DRM服务器发送的秘钥信息,再根据秘钥信息对第一业务模块进行解密,并执行目标第一业务模块对应的业务功能。下面具体介绍本申请中提供的一种应用程序的处理方法。
请参图5,图5为本申请实施例的应用程序的处理方法的流程示意图。其中,应用程序包括控制模块、DRM模块和分别加密的一个或多个第一业务模块。控制模块用于控制DRM模块对第一业务模块进行解密并在解密之后控制运行该第一业务模块,以实现第一业务模块对应的业务功能。控制模块例如可包括Application类及其调用的初始化代码,例如读取配置项、初始化数据库连接等。
当应用程序包括一个第一业务模块时,该一个第一业务模块用于实现应用程序的业务功能。当应用程序包括多个第一业务模块时,每个第一业务模块用于实现不同的业务功能。
例如图片处理应用程序中,包括用于实现打开图片的业务功能的打开业务模块、用于实现编辑图片的业务功能的编辑业务模块和用于实现保存图片业务功能的保存业务模块。若打开业务模块、编辑业务模块和保存业务模块是一并加密的,则可认为该图片处理应用程序包括一个第一业务模块。该一个第一业务模块用于实现打开图片的业务功能、编辑图片的业务功能和保存图片的业务功能。若打开业务模块、编辑业务模块和保存业务模块是分别加密的,则图片处理应用程序包括多个第一业务模块,分别为打开业务模块、编辑业务模块和保存业务模块,且每个第一业务模块用于实现图片处理应用程序的不同的业务功能。
该方法包括但不限于以下步骤:
501、控制模块获取用户触发的运行目标第一业务模块的第一运行指令。
例如在图6所示的示例中,应用程序为图片处理应用程序。图片处理应用程序包括分 别加密的三个第一业务模块,分别为用于实现打开图片的业务功能的打开业务模块、用于实现编辑图片的业务功能的编辑业务模块和用于实现保存图片业务功能的保存业务模块。终端的触控显示屏显示有图片处理应用程序的界面600,该界面包括用于触发运行打开业务模块的打开控件601、用于触发运行编辑业务模块的编辑控件602和用于触发运行保存业务模块的保存控件603。当用户在该触控显示屏点击打开控件601时,控制模块通过触控显示屏获取到该点击操作,则确认获取到了运行打开业务模块的第一运行指令,该打开业务模块则为目标第一业务模块。可以理解的是,虽然本申请以触控显示屏作为示例来介绍,但是这并不构成对其的限定。
当应用程序仅包括一个第一业务模块,且该第一业务模块用于实现应用程序的全部业务功能时,控制模块可将用户触发的启动该应用程序的启动指令作为第一运行指令,并将该一个第一业务模块作为目标第一业务模块。
例如,图片处理应用程序包括打开图片、编辑图片、保存图片这三个业务功能。图片处理应用程序包括控制模块、DRM模块和一个加密的第一业务模块。该第一业务模块用于实现图片处理应用程序的全部业务功能。也即是说,图片处理应用程序中,用于实现打开图片业务功能的打开业务模块、用于实现编辑图片业务功能的编辑业务模块和用于实现保存图片业务功能的保存业务模块为一并加密的第一业务模块。控制模块则可将用户触发的启动该图片处理应用程序的启动指令作为第一运行指令。如图7所示,终端可以显示出主界面700,包括图片处理应用程序的图片处理应用图标701、第一聊天应用图标702、第二聊天应用图标703、图库应用图标704、设置应用图标705、相机应用图标706。用户可通过点击图片处理应用图标701,触发启动该图片处理应用程序的启动指令。终端的操作系统获取到用户触发的启动该图片处理应用程序的启动指令之后,启动该应用程序,先运行该图片处理应用程序的控制模块,将控制模块加载至安卓虚拟机中运行。控制模块根据该启动指令确认获取到第一运行指令。
502、控制模块响应于第一运行指令,向DRM模块发送鉴权请求。
控制模块根据该运行指令向DRM模块发送鉴权请求。鉴权请求用于请求DRM模块鉴定该用户是否具备该目标第一业务模块的使用权限。鉴权请求中包括目标第一业务模块对应的模块信息。该模块信息例如可以是目标第一业务模块的业务模块标识。该业务模块标识为能够表示该目标第一业务模块的唯一标识。
控模块可在Application类的attachBaseContext方法中调用com.huawei.DrmSDK.decryptPackage方法。这样控制模块可实现调用DRM模块,并向该控制模块发送鉴权请求。
503、DRM模块根据鉴权请求向DRM服务器发送秘钥获取请求。
秘钥获取请求中包括所述用户的用户信息和所述模块信息。用户信息可包括能够表示该用户的身份的用户标识信息。这样DRM服务器可以根据用户信息找到该用户对应的应用程序权限信息。用户标识信息可以是该用于表示该用户身份的唯一标识信息。该唯一标识信息例如可以是但不限于该终端的用户身份识别卡(SIM卡)的卡标识信息、该用户从应用下载平台下载该应用程序时的用户账号、该用户的邮箱账户、该用户的支付平台的支付ID、银行卡号、身份证号等。
DRM模块根据鉴权请求向DRM服务器发送秘钥获取请求之前,可以通过调用操作系统提供的用于显示输入框的标准函数接口,在终端的显示屏上显示用户信息输入框。用户可通过操作终端在用户信息输入框输入用户标识信息。
例如在如图8所示的示例中,图片处理应用程序的包括分别加密的多个第一业务模块,分别为打开业务模块、编辑业务模块和保存业务模。终端打开图片处理应用程序之后,终端的触控显示屏显示有界面800,该界面800包括用于触发运行打开业务模块的打开控件801、用于触发运行编辑业务模块的编辑控件802和用于触发运行保存业务模块的保存控件803。当用户需要使用图片处理应用程序的打开图片的业务功能时,在触控显示屏点击打开控件801,图片处理应用程序的控制模块确认获取到运行打开业务模块的第一运行指令,将该打开业务模块作为目标第一业务模块。控制模块向图片处理应用程序的DRM模块发送鉴权请求。
然后该DRM模块通过调用操作系统用于显示输入框的标准函数接口,在界面800显示用户信息输入框804,用户可通过操作终端在该用户信息输入框804输入用户标识信息,该用户标识信息例如可以为用户账号。DRM模块再根据该标准函数接口获得用户在输入框804输入的用户标识信息。
当然在其他例子中,不限于在上述界面显示输入框,也可以在其他界面显示输入框。例如,基于图7的示例,图片处理应用程序仅包括一个第一业务模块,且该第一业务模块用于实现应用程序的全部业务功能时,控制可将用户触发的启动该应用程序的启动指令作为第一运行指令,并将该一个第一业务模块作为目标第一业务模块。当控制模块根据该第一运行指令向DRM模块发送鉴权请求之后,在将用户触发的启动该应用程序的启动指令时终端显示的界面(如图7中的界面700)显示输入框。上述用于显示输入框的界面仅用于举例说明,本申请中,对用于显示输入框的界面不做限定。
在一些实施例中,DRM模块获得目标第一业务模块对应的秘钥信息之后,可将该目标第一业务模块对应的模块信息及秘钥信息在所述终端中保存预设时长(例如0.5小时、1小时、2小时、3.5小时、6小时、24小时等)。具体地,DRM模块可将该目标第一业务模块对应的模块信息及秘钥信息保存至终端的存储器中。当该模块信息及秘钥信息在终端中保存的时长超过预设时长时,DRM模块将该模块信息及秘钥信息删除。
DRM模块在接收到控制模块发送的鉴权请求之后,在步骤503之前,DRM模块可以在终端中查找鉴权请求中的模块信息对应的秘钥信息。当终端中存在该模块信息对应的秘钥信息时,DRM模块根据秘钥信息对目标第一业务模块进行解密,并在解密成功时发送鉴权成功的鉴权响应至控制模块。当终端中中不存在该模块信息对应的秘钥信息时,DRM模块执行步骤503,根据鉴权请求向DRM服务器发送秘钥获取请求。
如此,在获得目标第一业务模块对应的秘钥信息之后的预设时长之内,控制模块再次获取到运行该目标第一业务模块的运行指令时,DRM模块可以从终端中查找该目标第一业务模块对应的秘钥信息,而不需要从DRM服务器获取秘钥信息。这样可以提升应用程序的运行效率。而且,当秘钥信息在所述终端中保存的时长超过预设时长时,DRM模块将该秘钥信息删除,这样可以避免秘钥信息长时间存储在终端中导致秘钥信息泄露。例如,用户可能在退出应用程序之后,短时间内又重新打开该应用程序并运行该目标第一业务模块, 这种情况下,DRM模块则不需要从DMR服务器重新获取秘钥信息,从而使得终端可以更快速地运行目标第一业务模块。
504、DRM服务器接收秘钥获取请求,根据秘钥获取请求判断该用户是否具备该目标第一业务模块的使用权限;
在一个例子中,DRM服务器可从权限库中查询该用户信息对应的应用程序权限信息,然后通过判断该用户信息对应的应用程序权限信息是否包括秘钥获取请求中的模块信息,来判断该用户是否具备目标第一业务模块的使用权限。
具体地,权限库中存储有多个用户的用户信息及每个用户信息对应的应用程序权限信息。每个用户信息对应的应用程序权限信息包括,该用户信息对应的用户拥有使用权限的第一业务模块的模块信息。第一业务模块的模块信息例如可以包括第一业务模块的唯一标识信息,也可以包括该第一业务模块对应的应用程序的应用程序唯一标识信息和该第一业务模块的业务模关键词。每个用户信息对应的应用程序权限信息可以是根据该用户信息对应的用户的购买记录确定的。例如,用户Y购买了应用程序M获得了应用程序M的一个第一业务模块K的使用权限,那么在权限库该用户Y的用户信息对应的应用程序权限信息中,包括该第一业务模块K的模块信息。
当该用户信息对应的应用程序权限信息中包含秘钥获取请求中的模块信息时,确认该用户具备该目标第一业务模块的使用权限;当该用户信息对应的模块信息中不包括秘钥获取请求中的模块信息时,确认该用户不具备该目标第一业务模块的使用权限。
在另一个例子中,DRM服务器可以根据用户信息得到用户的用户身份信息,并根据该用户身份信息,确定该用户是否具备该目标第一业务模块的使用权限。用户身份信息例如可包括但不限于用户的年龄、性别、居住地区中的任意一种或多种。
具体地,权限库中存储有具备各个应用程序的第一业务模块的使用权限所需的身份信息要求。DRM服务器可根据用户信息获得该用户的用户身份信息。例如,当用户信息中包含用户身份信息时,DRM服务器可从用户信息中提取出用户身份信息;当用户信息中不包含用户身份信息时,DRM服务器也可以根据用户信息(例如用户标识信息),从身份信息数据库中查询该用户的用户身份信息。DRM服务器可根据秘钥获取请求中的模块信息从权限库中获取该目标第一业务模块对应的身份信息要求,并判断该用户身份信息是否符合该目标第一业务模块对应的身份信息要求。若符合,则DRM服务器可确认该用户具有该目标第一业务模块的使用权限;若不符合,则DRM服务器确认该用户不具有该目标第一业务模块的使用权限。
在一个可选实施例中,秘钥获取请求中还可包括用户信息对应的验证信息。验证信息例如可以包括密码信息、生物特征信息、手势信息中的一种或多种。生物特征信息可包括但不限于指纹信息、面部特征信息、静脉信息、虹膜信息等。
当验证信息为密码信息时,DRM模块可通过调用操作系统用于提供输入框的标准函数接口,在终端显示信息输入框。DRM模块获取用户在用户信息输入框内输入的用户信息和验证信息。用户输入的用户信息例如可以是该用户的用户标识信息。
当验证信息为生物特征信息时,DRM模块可调用操作系统用于采集生物特征的标准函数接口,采集用户的生物特征信息。例如,当验证信息为指纹信息时,DRM模块可以调用 用于采集指纹信息的标准函数接口,采集用户的指纹信息。
较佳地,DRM模块获取到用户信息和用户信息对应的验证信息之后,可将用户信息及对应的验证信息保存在终端的存储器中并设置有效期。当该用户信息及对应的验证信息在终端的存储器中的存储时间超过有效期时,DRM模块删除该用户信息及该验证信息。如此,DRM模块在该有效期内需要再次获取该用户的用户信息及对应的验证信息时,可直接从终端的存储器中获取,而不需要用户再次输入。这样可以简化用户操作,也能够使得终端可以更快速地运行目标第一业务模块。
DRM模块获取到用户信息和对应的验证信息之后,将该用户信息及该验证信息随秘钥获取请求发送至DRM服务器。DRM服务器验证该秘钥获取请求中的验证信息和用户信息是否匹配。若匹配,则DRM服务器确认该用户信息与发出该运行指令的用户是对应的,并进一步判断该用户是否具备该目标第一业务模块的使用权限;若不匹配DRM服务器则可以不必判断继续该用户是否具备该目标第一业务模块的使用权限。这样DRM服务器可以验证该第一运行指令是不是由该用户信息对应的用户触发的,避免非法用户获得具备该目标第一业务模块的使用权限的第一用户的户信息之后,利用该第一用户的用户信息从DRM服务器获得目标第一业务模块的秘钥信息。
DRM服务器中,存储有多个用户信息及与每个用户信息匹配的预存验证信息。当DRM服务器判断该秘钥获取请求中的验证信息和用户信息是否匹配时,可先判断该秘钥获取请求中的验证信息是否和该用户信息对应的预存验证信息相符。若相符,则判定该密钥获取请求中的验证信息和用户信息匹配;若不相符,则判定该秘钥获取请求中的验证信息和用户信息不匹配。
例如,当验证信息为指纹时,DRM服务器中存储有多个用户信息及与每个用户信息匹配的预存指纹信息。DRM模块通过操作系统的标准函数接口调用终端的指纹识别模组采集该用户的指纹信息作为验证信息,并将该用户信息及该指纹信息随秘钥获取请求发送至DRM服务器。DRM服务器判断该秘钥获取请求中的指纹信息是否与该用户信息对应的预存指纹信息相符,若相符,则判定该密钥获取请求中的验证信息和用户信息匹配;若不相符,则判定该秘钥获取请求中的验证信息和用户信息不匹配。
需要说明的是,用户信息不限于仅包含用户标识信息,验证信息也不限于密码信息和生物特征信息。获取用户信息的方式和获取验证信息的方式也不限于上述举例的方式,上述举例仅用于解释说明,不构成对本申请的限定。
在一个可选的实施例中,秘钥获取请求中还可以包括该终端的终端信息,终端信息可以包括用于标识该终端的终端唯一标识,终端唯一标识可以是但不限于终端的物理地址,终端序列号等。
在另一个可选的实施例中,秘钥获取请求中还包括DRM模块的认证信息,该认证信息可以是该应用程序的开发人员预设的。DRM服务器可根据该认证信息验证DRM模块的合法性,这样可以避免非法程序从DRM服务器窃取秘钥信息。
DRM服务器在确认该用户具有该目标第一业务模的使用权限之后,还可以根据终端信息进一步地判断是否可以在该终端运行该目标第一业务模块,这样DRM服务器可实现仅允许具有使用权限的用户在符合预设条件的终端运行目标第一业务模块。
预设条件可以是但不限于是终端的配置参数。配置参数例如可以是内存大小、CPU型号等。这样可以使得目标第一业务模块在符合配置参数符合要求的终端上运行,以保证目标第一业务模块的运行效果。当然,在其他实施例中,预设条件可以为其他条件,在此不作限定。
505、当DRM服务器确认该用户具备该目标第一业务模块的使用权限时,DRM服务器获取该目标第一业务模块的秘钥信息。
DRM服务器中存储有多个第一业务模块的约定的加密方式。DRM服务器可根据秘钥获取请求中的模块信息获取该目标第一业务模块对应的约定的加密方式。例如,模块信息包括目标第一业务模块的业务模块标识时,DRM服务器可根据该业务模块标识获得该目标第一业务模块的约定的加密方式,然后根据该约定的加密方式得到该目标第一业务模块的秘钥信息。DRM服务器再将该秘钥信息发送至终端。秘钥信息例如可以包括该约定的加密方式或根据该加约定的密方式得到的解密算法。
在本申请技术方案中,开发人员可将应用程序的业务模块的代码利用约定的加密方式加密得到一个或多个第一业务模块,再将该应用程序的控制模块、DRM模块和一个或多个第一业务模块打包得到该应用程序的安装包。然后再将该应用程序的安装包发布至应用商店或其他应用下载平台供用户下载。
例如,图片处理应用程序包括打开业务模块、编辑业务模块和保存业务模块。当图片处理应用程序的开发人员需要对打开业务模块、编辑业务模块和保存业务模块一并设置使用权限时,开发人员可将打开业务模块、编辑业务模块和保存业务模块利用约定的加密方式一并加密之后,再将控制模块、DRM模块和一并加密的打开业务模块、编辑业务模块和保存业务模块打包得到该图片处理应用程序的安装包。其中,该一并加密的打开业务模块、编辑业务模块和保存业务模块可理解为一个第一业务模块。当图片处理应用程序的开发人员需要对打开业务模块、编辑业务模块和保存业务模块分别设置使用权限时,开发人员可将打开业务模块、编辑业务模块和保存业务模块利用约定的加密方式分别加密之后,再将控制模块、DRM模块、加密的打开业务模块、加密的编辑业务模块和加密的保存业务模块打包得到该图片处理应用程序的安装包。其中,加密的打开业务模块可理解一个第一业务模块,加密的编辑业务模块可理解为一个第一业务模块,加密的保存业务模块也可理解为一个第一业务模块,那么该应用程序则包括三个第一业务模块。
在一种可选的实施例中,开发人员可将应用程序的业务模块的代码利用约定的加密方式加密得到一个或多个第一业务模块之后,将该应用程序的控制模块、DRM模块和一个或多个第一业务模块打包并进行数字签名得到该应用程序的安装包,然后再将该应用程序的安装包发布至应用商店或其他应用下载平台供用户下载。具体地,开发人员可将业务模块的代码打包为一个新的安卓Dex文件,并利用约定的加密方式对该Dex文件进行加密,该加密的Dex文件包括一个或多个第一业务模块。然后开发人员再将该加密后的Dex文件、控制模块和DRM模块打包并进行签名得到该应用程序的安装包。该数字签名用于标记该应用程序的合法性。若非法用户对合法的应用程序进行修改并重新打包,则会导致数字签名失效。终端在运行该应用程序之前,可通过验证该应用程序的安装包中的数字签名是否有效来验证该应用程序是否为合法的应用程序。
约定的加密方式为开发人员与DRM服务器约定的加密方式。约定的加密方式可以是由应用下载平台提供的,也可以是DRM服务器预存的,还可以是开发人员自行设定的。
约定的加密方式由应用下载平台提供时,应用下载平台将约定的加密方式发送给DRM服务器,并将该约定的加密方式提供给开发人员。这样DRM服务器可以从应用下载平台获得该应用下载平台提供的约定的加密方式,开发人员也可以通过该应用下载平台提供的约定的加密方式对应用程序的业务模块采用该加密方式加密。例如,可以在开发人员将第一业务模块是由约定的加密方式A加密的应用程序发布至应用下载平台时,应用下载平台将该第一业务模块的模块信息及该约定的加密方式A发送至DRM服务器,DRM服务器将该约定的加密方式A及该第一业务模块的模块信息的对应关系存储至DRN服务器的存储器中。
约定的加密方式为DRM服务器的提供的加密方式时,DRM服务器接收到开发终端发送的加密方式获取请求,将约定的加密方式提供给开发终端。开发人员通过开发终端获取到该约定的加密方式,按照该约定的加密方式对业务模块加密得到第一业务模块。DRM服务器可在接收加密方式获取请求时从加密方式获取请求中获得该第一业务模块的模块信息,也可以在开发人员完成应用程序的开发后,获得开发人员通过开发终端反馈的该第一业务模块的模块信息。DRM服务获取到该第一业务模块的模块信息之后将该第一业务模块的模块信息与该约定的加密方式关联,并存储在DRM服务器的存储器中。
当约定的加密方式由开发人员提供时,开发人员可利用自己设定的约定的加密方式对业务模块进行加密得到第一业务模块。开发人员可通过开发终端将该第一业务模块的模块信息和该约定的加密方式发送至DRM服务器,DRM服务器获得并存储该第一业务模块的模块信息及该约定的加密方式。
这样,DRM服务器中存储有多个第一业务模块的模块信息和与每个模块信息对应的约定的加密方式。当DRM服务器接收到终端发送的,用于获取目标第一业务模块的秘钥信息的秘钥获取请求时,DRM服务器根据该秘钥获取请求中的用户信息和模块信息,确认该用户信息对应的用户具备该模块信息对应的目标第一业务模块的使用权限之后,根据该模块信息从DRM服务器的存储器中查询与该模块信息对应的约定的加密方式,然后根据查询得到的约定的加密方式得到该目标第一业务模块的秘钥信息并发送给终端。
约定的加密方式可以是但不限于RSA算法、高级加密标准(AES)、椭圆曲线数字签名算法(ECDSA)。需要说明的是,上述约定的加密方式的设置方案的举例仅用于解释说明,并不构成对本申请的限定,在其他实施例中,也可以采用其他的约定方式得到约定的加密方式。
当应用程序包括多个第一业务模块时,每个第一业务模块的加密方式可以相同也可以不同。
在一个可选实施例中,多个第一业务模块中,存在至少两个不同第一业务模块的加密方式是相同的,这样开发人员可利用相同的加密方式对需要加密的业务模块进行加密,可以减少约定加密方式的次数。
需要说明的是,不同的第一业务模块的加密方式相同时,DRM模块也只会利用获取到的秘钥信息对与第一运行指令对应的目标第一业务模块进行解密。例如,第一业务模块P 和第一业务模块Q的加密方式相同,DRM根据运行第一业务模块P的第一运行指令得到的秘钥信息,只会用于解密第一业务模块P,而不会用于解密第一业务模块Q。这样虽然不同的第一业务模块加密方式是相同的,但是DRM模块仍然可以分别管理每个业第一业务模块的使用权限。
在另一个可选实施例中,不同的第一业务模块的加密方式是不同的。如此,可以避免非法程序截取到一个第一业务模块对应的秘钥信息之后,利用该秘钥信息解密其他第一业务模块,从而可以更有效地管理应用程序的各个第一业务模块的使用权限。
506、DRM服务器将秘钥信息发送至终端。
507、DRM模块接收DRM服务器发送的秘钥信息,根据秘钥信息对业务模块进行解密。
当秘钥信息中包含该约定的加密方式时,DRM模块可根据该约定的加密方式得到解密算法,并利用解密算法对目标第一业务模块进行解密得到解密后的业务模块。当秘钥信息中包含根据该约定的加密方式得到的解密算法时,DRM模块则可以利用秘钥信息中的解密算法对目标第一业务模块进行解密得到解密后的目标第一业务模块。具体地,DRM模块可从应用程序中读取包含了目标第一业务模块执行代码的Dex文件,并利用秘钥信息对该Dex文件解密得到解密后的Dex文件。
508、DRM模块在解密成功时,发送鉴权成功的鉴权响应至控制模块。
具体地,终端启动应用程序之后,先运行控制模块,将控制模块加载至安卓虚拟机中运行。解密成功时,DRM模块可以将解密后的Dex文件加载至按照虚拟机中,以使得控制模块能够在该安卓虚拟机中控制执行该Dex文件的业务代码。
509、控制模块接收到鉴权成功的鉴权响应时,控制运行解密后的目标第一业务模块,以实现所述目标第一业务模块对应的业务功能。
例如,基于上述图6的实施例,DRM模块根据控制模块发送的鉴权请求从DRM服务器获得了该打开业务模块的秘钥信息,并利用该秘钥信息对该打开业务模块解密,得到解密后的打开业务模块。然后DRM模块发送鉴权成功的鉴权响应至控制模块。控制模块接收到该鉴权响应之后,控制运行该打开业务模块。这样用户就可以通过该图片处理应用程序打开图片,例如可打开如图9所示的图片604。
又例如,基于上述图7的实施例,图片处理应用程序中,用于实现打开图片业务功能的打开业务模块、用于实现编辑图片业务功能的编辑业务模块和用于实现保存图片业务功能的保存业务模块为一并加密的第一业务模块。DRM模块根据控制模块发送的鉴权请求从DRM服务器获得了该第一业务模块的秘钥信息,并利用该秘钥信息对该打开业务模块、编辑业务模块和保存业务模块解密,得到解密后的第一业务模块。然后DRM模块发送鉴权成功的鉴权响应至控制模块。控制模块接收到该鉴权响应之后,控制运行该第一业务模块。这样终端就可以进入该应用程序的主界面,使得用户可以通过该图片处理应用程序实现打开图片、编辑图片和保存图片的业务功能。
本申请实施例中,由于需要被保护的第一业务模块是加密的,即使非法用户通过修改应用程序代码,使得DRM模块发送鉴权成功的鉴权响应给控制模块,只要DRM模块没有获得第一业务模块对应的秘钥信息,就无法对第一业务模块进行解密,那么也就无法在终 端运行第一业务模块。终端要运行第一业务模块以实现该对应的业务功能,须获得对应的秘钥信息,而获得秘钥信息的条件是使用该终端的用户须具备该第一业务模块的使用权限。这样,可以使得只有具备第一业务模块的使用权限的用户才能使用该应用程序的第一业务模块的业务功能,从而可以有效地对应用程序的业务功能的使用权限进行保护。
本申请实施例的技术方案可用于支持动态加载的应用程序。支持动态加载的应用程序可以理解为,运行该应用程序时可以分多次加载,而不必一次全部加载完再运行的应用程序。例如,当应用程序为安卓程序时,安卓程序可先加载一部分至安卓虚拟机(DALVIK)并运行,然后再加载一部分至安卓虚拟机并运行。结合本实施例,先加载应用程序的控制模块和DRM模块至安卓虚拟机并运行,然后在DRM模块对加密的目标第一业务模块解密之后,再将解密后的目标第一业务模块加载至安卓虚拟机并运行,这种先加载应用程序的一部分并运行,然后再加载应用程序的另一部分并运行的过程就是动态加载的过程,支持这种加载方式的应用程序则为支持动态加载的应用程序。
由此可见,本申请的技术方案不受操作系统的限制。本申请是通过对应用程序内的业务模块进行加密来实现对应用程序的业务功能的使用权限进行保护,而不需要依赖于操作系统。本申请的可应用于但不限于安卓系统、Windows系统、Linux系统或其他能够支持动态加载的应用程序的系统。
需要说明的是,在上述实施例中,控制模块和DRM模块可以合并一个模块,例如,控制模块和DRM模块可以合并为非业务模块。也即步骤501-503可由非业务模块实现,当非业务模块获取到用户触发的运行所述目标第一业务模块的指令时,非业务模块向DRM服务器发送秘钥获取请求。上述步骤507-步骤509也可由非业务模块实现,非业务模块接收DRM服务器发送的秘钥信息,根据秘钥信息对目标第一业务模块进行解密,并在解密成功时,控制运行该解密后的目标第一业务模块,以实现该目标第一业务模块对应的业务功能。
在进一步的实施例中,终端包括可信执行环境(trusted execution environment,TEE)和富执行环境(rich execution environment,REE)。TEE提供了可信应用(trusted application,TA)的安全行环境,同时也保护TA的资源和数据的保密性、完整性和访问权限。富执行环境REE中运行有终端的操作系统,例如安卓系统、Windows系统等。
控制模块获取到运行指令之后,控制模块将DRM模块加载至TEE中,再向DRM模块发送鉴权请求。这样DRM模块在TEE中根据鉴权请求向DRM服务器发送秘钥获取请求,并接收DRM服务器发送的秘钥信息,从而可以提升秘钥信息的安全性,避免秘钥信息被非法程序获取。这样TEE可以保证DRM模块的资源和数据的保密性、完整性和访问权限,从而可以提升权应用程序的使用权限管理的安全性。
在一些实施例中,控制模块获取到用户触发的运行目标第一业务模块的运行指令时,在终端的显示屏显示预设画面,并向DRM模块发送鉴权请求。在控制模块接收到DRN模块发送的鉴权成功的鉴权响应时,控制模块停止在终端显示预设画面,并控制运行目标第一业务模块,以实现业务模块对应的业务功能。这样,在DRM模块发送秘钥获取请求,请求DRM服务器下发秘钥信息的过程中,终端显示预设画面,可以避免终端因获取秘钥信息无法马上运行目标第一业务模块,而让用户误认为应用程序卡顿。
基于上述实施例,在一个可选实施例中,应用程序还包括未加密的第二业务模块。加 密的一个或多个第一业务模块用于实现该应用程序的一部分业务功能,未加密的业务模块用于实现该应用程序的另一部分业务功能。当控制模块获取到用户触发的运行第二业务模块的运行指令时,控制模块控制运行第二业务模块,以实现第二业务模块对应的业务功能。这样应用程序的开发人员可以通过部分加密的方式设置部分业务功能的使用权限。
例如,图片处理应用程序包括用于实现打开图片的业务功能的打开业务模块、用于实现编辑图片的业务功能的编辑业务模块、用于实现保存图片业务功能的保存业务模块和用于实现图片拼接业务功能的拼接业务模块。其中,打开业务模块、编辑业务模块和保存业务模块是加密的,该拼接业务模块是未加密的。那么该打开业务模块、编辑业务模块和保存业务模块可理解为第一业务模块,拼接业务模块则可理解为第二业务模块。
如图10所示,终端运行图片处理应用程序之后,显示界面1000,该界面1000包括与打开业务模块对应的打开控件1001、与编辑业务模块对应的编辑控件1002、与保存业务模块对应的保存控件1003和与拼接业务模块对应的拼接控件1004。
当用户通过在终端的触控显示屏点击打开业控件1001、编辑控件1002或保存控件1003中的任意一个控件时,则触发了第一运行指令,控制模块可根据该点击操作确认获取到了第一运行指令。当用户通过在终端的触控显示屏点击拼接控件1004时,则触发了第二运行指令,控制模块可根据该点击操作确认获取到了第二运行指令。
本申请实施例提供了一种计算机存储介质,包括计算机指令,当计算机指令在终端上运行时,使得终端执行上述任一可能的实施例中的应用程序的处理方法。
本申请实施例提供了一种计算机程序产品,当计算机程序产品在终端上运行时,使得终端执行上述任一可能的实施例中的应用程序的处理方法。
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。
Claims (10)
- 一种应用程序的处理方法,其特征在于,所述应用程序包括一个或多个加密的第一业务模块和未加密的非业务模块;所述方法包括:当所述非业务模块获取到用户触发的运行目标第一业务模块的第一运行指令时,终端利用所述非业务模块向数字版权管理(Digital Rights Management,DRM)服务器发送秘钥获取请求,所述秘钥获取请求,用于请求所述目标第一业务模块对应的秘钥信息,其中,所述秘钥信息是所述DRM服务器在确认所述用户具有所述目标第一业务模块的使用权限时反馈的;所述终端利用所述非业务模块获取所述DRM服务器发送的所述秘钥信息;所述终端利用所述非业务模块根据所述秘钥信息对所述目标第一业务模块进行解密,并执行所述目标第一业务模块对应的业务功能。
- 根据权利要求1所述的应用程序的处理方法,其特征在于,所述秘钥获取请求包括所述用户的用户信息和所述目标第一业务模块的模块信息,以用于所述DRM服务器根据所述用户信息查询所述用户的应用程序权限信息,并根据所述应用程序权限信息以及所述模块信息确定所述用户具有所述目标第一业务模块的使用权限。
- 根据权利要求2所述的方法,其特征在于,所述秘钥获取请求还包括所述用户提供的与所述用户信息对应的验证信息,所述验证信息用于DRM服务器在所述查询步骤之前,确认所述用户信息与所述验证信息匹配。
- 根据权利要求1-3任一项所述的方法,其特征在于,所述终端利用所述非业务模块向DRM服务器发送秘钥获取请求之前,所述方法还包括:所述终端利用所述非业务模块确定所述终端中不具有所述目标第一业务模块对应的秘钥信息。
- 根据权利要求1-4任一项所述的方法,其特征在于,所述应用程序还包括未加密的第二业务模块;所述方法还包括:当所述非业务模块获取到用户触发的运行所述第二业务模块的第二运行指令时,所述终端通过所述非业务模块执行所述第二业务模块对应的业务功能。
- 根据权利要求1所述的方法,其特征在于,所述非业务模块包括控制模块和DRM模块;所述终端利用所述非业务模块向DRM服务器发送秘钥获取请求,具体包括:所述终端利用所述控制模块向所述DRM模块发送鉴权请求;所述终端利用所述DRM模块根据所述鉴权请求向DRM服务器发送秘钥获取请求;所述终端利用所述非业务模块接收所述DRM服务器发送的秘钥信息,具体包括:所述终端利用所述DRM模块接收所述DRM服务器发送的秘钥信息;所述终端利用所述非业务模块根据所述秘钥信息对所述目标第一业务模块进行解密, 并执行所述目标第一业务模块对应的业务功能包括:所述终端利用所述DRM模块根据所述秘钥信息对所述目标第一业务模块进行解密,并在解密成功时发送鉴权成功的鉴权响应至所述控制模块;在所述控制模块接收到所述鉴权成功的鉴权响应时,所述终端利用所述控制模块执行所述目标第一业务模块对应的业务功能。
- 根据权利要求6所述的方法,其特征在于,所述终端利用所述控制模块向所述DRM模块发送鉴权请求包括:所述终端显示预设画面,并通过所述控制模块向所述DRM模块发送鉴权请求;所述在所述控制模块接收到所述鉴权成功的鉴权响应时,所述终端利用所述控制模块执行所述目标第一业务模块对应的业务功能,具体包括:在所述控制模块接收到鉴权成功的鉴权响应时,所述终端停止显示所述预设画面,并利用所述控制模块执行所述目标第一业务模块对应的业务功能。
- 一种终端,包括显示屏,存储器,一个或多个处理器,以及多个应用程序,其中,所述存储器中存储一个或多个程序;其特征在于,所述一个或多个处理器在运行所述一个或多个程序时,使得所述终端执行如权利要求1至7任一项所述的方法。
- 一种计算机存储介质,其特征在于,包括计算机指令,当所述计算机指令在终端上运行时,使得所述终端执行如权利要求1至7任一项所述的方法。
- 一种计算机程序产品,其特征在于,当所述计算机程序产品在终端上运行时,使得所述终端执行如权利要求1至7任一项所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20869324.2A EP4030680A4 (en) | 2019-09-29 | 2020-09-27 | APPLICATION TREATMENT METHOD AND ASSOCIATED PRODUCT |
US17/764,777 US20220335107A1 (en) | 2019-09-29 | 2020-09-27 | Method for Processing Application Program and Related Product |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910935759.1 | 2019-09-29 | ||
CN201910935759.1A CN110752929B (zh) | 2019-09-29 | 2019-09-29 | 应用程序的处理方法及相关产品 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021057982A1 true WO2021057982A1 (zh) | 2021-04-01 |
Family
ID=69277458
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/118165 WO2021057982A1 (zh) | 2019-09-29 | 2020-09-27 | 应用程序的处理方法及相关产品 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20220335107A1 (zh) |
EP (1) | EP4030680A4 (zh) |
CN (1) | CN110752929B (zh) |
WO (1) | WO2021057982A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115865729A (zh) * | 2022-11-24 | 2023-03-28 | 杭州米络星科技(集团)有限公司 | 程序服务健康性判断方法和装置、存储介质和终端 |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110752929B (zh) * | 2019-09-29 | 2022-04-22 | 华为终端有限公司 | 应用程序的处理方法及相关产品 |
CN112257041B (zh) * | 2020-10-19 | 2024-07-16 | 北京五一视界数字孪生科技股份有限公司 | 项目的控制方法、装置及电子设备 |
CN115189953B (zh) * | 2022-07-13 | 2024-02-06 | 深圳微言科技有限责任公司 | 基于隐私保护的双向通讯装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140047558A1 (en) * | 2012-07-16 | 2014-02-13 | Infosys Limited | System and method for providing access of digital contents to offline drm users |
CN107646110A (zh) * | 2015-03-30 | 2018-01-30 | 爱迪德技术有限公司 | 在设备上访问内容 |
US20180089400A1 (en) * | 2013-01-29 | 2018-03-29 | Mobitv, Inc. | Digital rights management for http-based media streaming |
CN109728912A (zh) * | 2017-10-30 | 2019-05-07 | 中国电信股份有限公司 | 播放内容安全传输方法、系统以及终端 |
CN110752929A (zh) * | 2019-09-29 | 2020-02-04 | 华为终端有限公司 | 应用程序的处理方法及相关产品 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7155415B2 (en) * | 2000-04-07 | 2006-12-26 | Movielink Llc | Secure digital content licensing system and method |
US10380568B1 (en) * | 2005-12-20 | 2019-08-13 | Emc Corporation | Accessing rights-managed content from constrained connectivity devices |
US8972726B1 (en) * | 2009-08-26 | 2015-03-03 | Adobe Systems Incorporated | System and method for digital rights management using a secure end-to-end protocol with embedded encryption keys |
CN101729550B (zh) * | 2009-11-09 | 2012-07-25 | 西北大学 | 基于透明加解密的数字内容安全防护系统及加解密方法 |
KR20110093468A (ko) * | 2010-02-12 | 2011-08-18 | 삼성전자주식회사 | 사용자 단말 장치, 서버 및 그 제어 방법 |
CN101833623B (zh) * | 2010-05-07 | 2013-02-13 | 华为终端有限公司 | 数字版权管理方法及系统 |
US20140047557A1 (en) * | 2012-07-16 | 2014-02-13 | Infosys Limited | Providing access of digital contents to online drm users |
CN106230777A (zh) * | 2016-07-12 | 2016-12-14 | 珠海市魅族科技有限公司 | 一种防止文件被破解的方法及终端 |
CN106603230B (zh) * | 2016-12-30 | 2019-09-27 | 北京奇艺世纪科技有限公司 | 一种drm密钥保存、读取方法和保存、读取系统 |
-
2019
- 2019-09-29 CN CN201910935759.1A patent/CN110752929B/zh active Active
-
2020
- 2020-09-27 EP EP20869324.2A patent/EP4030680A4/en active Pending
- 2020-09-27 WO PCT/CN2020/118165 patent/WO2021057982A1/zh unknown
- 2020-09-27 US US17/764,777 patent/US20220335107A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140047558A1 (en) * | 2012-07-16 | 2014-02-13 | Infosys Limited | System and method for providing access of digital contents to offline drm users |
US20180089400A1 (en) * | 2013-01-29 | 2018-03-29 | Mobitv, Inc. | Digital rights management for http-based media streaming |
CN107646110A (zh) * | 2015-03-30 | 2018-01-30 | 爱迪德技术有限公司 | 在设备上访问内容 |
CN109728912A (zh) * | 2017-10-30 | 2019-05-07 | 中国电信股份有限公司 | 播放内容安全传输方法、系统以及终端 |
CN110752929A (zh) * | 2019-09-29 | 2020-02-04 | 华为终端有限公司 | 应用程序的处理方法及相关产品 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115865729A (zh) * | 2022-11-24 | 2023-03-28 | 杭州米络星科技(集团)有限公司 | 程序服务健康性判断方法和装置、存储介质和终端 |
Also Published As
Publication number | Publication date |
---|---|
EP4030680A4 (en) | 2022-10-26 |
US20220335107A1 (en) | 2022-10-20 |
EP4030680A1 (en) | 2022-07-20 |
CN110752929A (zh) | 2020-02-04 |
CN110752929B (zh) | 2022-04-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111466099B (zh) | 一种登录方法、令牌发送方法、设备及存储介质 | |
WO2021057982A1 (zh) | 应用程序的处理方法及相关产品 | |
EP4063203A1 (en) | Authentication method and medium and electronic apparatus thereof | |
WO2020098664A1 (zh) | 一种删除安全业务的方法及电子设备 | |
WO2021253975A1 (zh) | 应用程序的权限管理方法、装置和电子设备 | |
WO2020238728A1 (zh) | 智能终端的登录方法及电子设备 | |
WO2020150917A1 (zh) | 一种应用权限的管理方法及电子设备 | |
CN113408016B (zh) | 保存密文的方法和装置 | |
WO2022160991A1 (zh) | 权限控制方法和电子设备 | |
WO2022089121A1 (zh) | 处理推送消息的方法和装置 | |
WO2022022422A1 (zh) | 一种权限管理方法及终端设备 | |
WO2022111469A1 (zh) | 一种文件共享方法、装置及电子设备 | |
WO2022166502A1 (zh) | 数据保护方法、系统、介质及电子设备 | |
CN114692119A (zh) | 校验应用的方法和电子设备 | |
CN116669020B (zh) | 一种密码管理方法、系统和电子设备 | |
US20230214532A1 (en) | Permission negotiation method and apparatus during communication, and electronic device | |
WO2022042273A1 (zh) | 密钥使用方法及相关产品 | |
US20240233933A1 (en) | Contact tracing method and related device | |
WO2024046418A1 (zh) | 一种数据保护方法及电子设备 | |
WO2024061326A1 (zh) | 一种数据保护方法及电子设备 | |
CN116049826B (zh) | 基于tpm的数据保护方法、电子设备及存储介质 | |
CN118364456A (zh) | 文件打开方法、装置和终端设备 | |
CN118797664A (zh) | 一种数据加密方法和电子设备 | |
CN115202559A (zh) | 权限管理方法及相关设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20869324 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2020869324 Country of ref document: EP Effective date: 20220411 |