CN106407797B - Application authority control device and method - Google Patents

Application authority control device and method Download PDF

Info

Publication number
CN106407797B
CN106407797B CN201610809036.3A CN201610809036A CN106407797B CN 106407797 B CN106407797 B CN 106407797B CN 201610809036 A CN201610809036 A CN 201610809036A CN 106407797 B CN106407797 B CN 106407797B
Authority
CN
China
Prior art keywords
application
authority
terminal
module
calling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610809036.3A
Other languages
Chinese (zh)
Other versions
CN106407797A (en
Inventor
安占磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201610809036.3A priority Critical patent/CN106407797B/en
Publication of CN106407797A publication Critical patent/CN106407797A/en
Application granted granted Critical
Publication of CN106407797B publication Critical patent/CN106407797B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M1/00Substation equipment, e.g. for use by subscribers
    • H04M1/72Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
    • H04M1/724User interfaces specially adapted for cordless or mobile telephones
    • H04M1/72448User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions
    • H04M1/72463User interfaces specially adapted for cordless or mobile telephones with means for adapting the functionality of the device according to specific conditions to restrict the functionality of the device

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an application authority control device and a method, wherein the device comprises: the application monitoring module is used for monitoring the application installed on the terminal; the method analysis module is used for analyzing a plurality of methods called by the application request from the terminal; the method management module is used for judging whether a background method which cannot be associated with a user interface layer of the terminal through a calling relation exists or not according to the calling relation corresponding to the methods; and the authority management module is used for prohibiting the application from acquiring the authority for calling the background method when the judgment result is yes. According to the method, the method for requesting calling is analyzed during application installation, and if the method for calling is a background method which is not associated with the user interface layer, the background method has a large influence on the terminal security, so that in order to avoid damage to the terminal security caused by calling the method in the background, the method for calling the background method can be avoided by limiting the authority of the application, and the security of the terminal is improved.

Description

Application authority control device and method
Technical Field
The invention relates to the technical field of computers, in particular to an application authority control device and method.
Background
Many users should find that some software requires unreasonable rights such as freely reading address lists and short messages besides relatively reasonable rights such as obtaining your location information when downloading and installing Applications (APPs) on mobile phones. Once the user has chosen without any knowledge to have these rights to these APPs, the danger will come.
Due to the extremely open characteristic of the Android system, the Android native processing architecture has no limit on the authority applied by application development, so that a vulnerability is left for the developer to apply the authority at will, and meanwhile, the risk of privacy leakage of the user is increased. In the current Android market, excessive abuse of APP permissions has become a pervasive phenomenon. Many advertisers, advertising unions and developers collect the privacy information of users through abusing authorities and even implant background plug-ins for malicious fee deduction through vulnerabilities left by related authorities.
Therefore, a technical scheme is needed to control the application permission, so that the abuse of the permission is restrained to a certain extent, and the safety of the mobile phone of the user is improved.
Disclosure of Invention
The invention mainly aims to provide an application authority control device and method, aiming at limiting an application to acquire partial authority so as to prevent the safety of a user terminal from being influenced.
In order to achieve the above object, the present invention provides an application authority control device, including: the application monitoring module is used for monitoring the application installed on the terminal; the method analysis module is used for analyzing a plurality of methods called by the application request from the terminal; the method management module is used for judging whether a background method which cannot be associated with a user interface layer of the terminal through the calling relation exists or not according to the calling relation corresponding to the methods; and the authority management module is used for forbidding the application to acquire the authority for calling the background method when the judgment result is yes.
Optionally, in the foregoing apparatus, the application monitoring module registers a monitor in a framework layer of the terminal to monitor the application for installation.
Optionally, in the foregoing apparatus, the method management module parses the multiple methods according to the user interface registration information recorded in the configuration files corresponding to the multiple methods.
Optionally, the foregoing apparatus further includes: and the exception module is used for judging whether the authority belongs to the preset exception authority or not, and when the judgment result is negative, the authority management module forbids the application to acquire the authority.
Optionally, the foregoing apparatus further includes: and the type module is used for judging whether the application needs to call the method or not according to the type of the application, and when the judgment result is negative, the authority management module prohibits the application from acquiring the authority.
In order to achieve the above object, the present invention further provides an application authority control method, including: monitoring an application installed on a terminal; analyzing a plurality of methods called by the application request from the terminal; judging whether a background method which cannot be associated with a user interface layer of the terminal through the calling relation exists or not according to the calling relation corresponding to the methods; and when the judgment result is yes, prohibiting the application from acquiring the authority for calling the background method.
Optionally, the method for monitoring the application installed on the terminal specifically includes: and registering a monitor on a framework layer of the terminal to monitor the application for installation.
Optionally, the foregoing method for analyzing multiple methods called by the application request from the terminal specifically includes: and analyzing the multiple methods according to the user interface registration information recorded in the configuration files corresponding to the multiple methods.
Optionally, before prohibiting the application from acquiring the right to invoke the background method, the method further includes: and judging whether the authority belongs to a preset exceptional authority, and if not, forbidding the application to acquire the authority.
Optionally, before prohibiting the application from acquiring the right to invoke the background method, the method further includes: and judging whether the application needs to call the method or not according to the type of the application, and if not, forbidding the application to acquire the authority.
According to the technical scheme, the application authority control device and the application authority control method have the following advantages:
according to the technical scheme of the invention, the application installed on the terminal is monitored, the method for requesting calling is analyzed when the application is installed, and if the method for calling is a background method which is not associated with the user interface layer, the background method has a large influence on the safety of the terminal, so that the application can be prevented from calling the background method by limiting the authority of the application in order to avoid the damage to the safety of the terminal caused by calling the method in the background, and the safety of the terminal is improved.
Drawings
Fig. 1 is a schematic diagram of a hardware structure of a mobile terminal implementing various embodiments of the present invention;
FIG. 2 is a diagram of a wireless communication system for the mobile terminal shown in FIG. 1;
fig. 3 is a block diagram of an application authority control apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an application authority control apparatus according to an embodiment of the present invention;
fig. 5 is a block diagram of an application authority control apparatus according to an embodiment of the present invention;
fig. 6 is a flowchart of an application of the application authority control apparatus according to an embodiment of the present invention;
fig. 7 is a flowchart of an application authority control method according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
A mobile terminal implementing various embodiments of the present invention will now be described with reference to the accompanying drawings. In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no specific meaning in themselves. Thus, "module" and "component" may be used in a mixture.
The mobile terminal may be implemented in various forms. For example, the terminal described in the present invention may include a mobile terminal such as a mobile phone, a smart phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet computer), a PMP (portable multimedia player), a navigation device, and the like, and a stationary terminal such as a digital TV, a desktop computer, and the like. In the following, it is assumed that the terminal is a mobile terminal. However, it will be understood by those skilled in the art that the configuration according to the embodiment of the present invention can be applied to a fixed type terminal in addition to elements particularly used for moving purposes.
Fig. 1 is a schematic hardware configuration of a mobile terminal implementing various embodiments of the present invention.
The mobile terminal 100 may include a wireless communication unit 110, an a/V (audio/video) input unit 120, a user input unit 130, an output unit 150, a memory 160, an interface unit 170, a controller 180, and a power supply unit 190, and the like. Fig. 1 illustrates a mobile terminal having various components, but it is to be understood that implementing all of the illustrated components is not a requirement. More or fewer components may alternatively be implemented. Elements of the mobile terminal will be described in detail below.
The wireless communication unit 110 typically includes one or more components that allow radio communication between the mobile terminal 100 and a wireless communication system or network. For example, the wireless communication unit may include at least one of a broadcast receiving module 111, a mobile communication module 112, a wireless internet module 113, a short-range communication module 114, and a location information module 115.
The broadcast receiving module 111 receives a broadcast signal and/or broadcast associated information from an external broadcast management server via a broadcast channel. The broadcast channel may include a satellite channel and/or a terrestrial channel. The broadcast management server may be a server that generates and transmits a broadcast signal and/or broadcast associated information or a server that receives a previously generated broadcast signal and/or broadcast associated information and transmits it to a terminal. The broadcast signal may include a TV broadcast signal, a radio broadcast signal, a data broadcast signal, and the like. Also, the broadcast signal may further include a broadcast signal combined with a TV or radio broadcast signal. The broadcast associated information may also be provided via a mobile communication network, and in this case, the broadcast associated information may be received by the mobile communication module 112. The broadcast signal may exist in various forms, for example, it may exist in the form of an Electronic Program Guide (EPG) of Digital Multimedia Broadcasting (DMB), an Electronic Service Guide (ESG) of digital video broadcasting-handheld (DVB-H), and the like. The broadcast receiving module 111 may receive a signal broadcast by using various types of broadcasting systems. In particular, the broadcast receiving module 111 may receive a broadcast signal by using a signal such as multimedia broadcasting-terrestrial (DMB-T), digital multimedia broadcasting-satellite (DMB-S), digital video broadcasting-handheld (DVB-H), forward link media (MediaFLO)@) A digital broadcasting system of a terrestrial digital broadcasting integrated service (ISDB-T), etc. receives digital broadcasting. The broadcast receiving module 111 may be constructed to be suitable for various broadcasting systems providing broadcast signals and the above-described digital broadcastingProvided is a system. The broadcast signal and/or broadcast associated information received via the broadcast receiving module 111 may be stored in the memory 160 (or other type of storage medium).
The mobile communication module 112 transmits and/or receives radio signals to and/or from at least one of a base station (e.g., access point, node B, etc.), an external terminal, and a server. Such radio signals may include voice call signals, video call signals, or various types of data transmitted and/or received according to text and/or multimedia messages.
The wireless internet module 113 supports wireless internet access of the mobile terminal. The module may be internally or externally coupled to the terminal. The wireless internet access technology to which the module relates may include WLAN (wireless LAN) (Wi-Fi), Wibro (wireless broadband), Wimax (worldwide interoperability for microwave access), HSDPA (high speed downlink packet access), and the like.
The short-range communication module 114 is a module for supporting short-range communication. Some examples of short-range communication technologies include bluetoothTMRadio Frequency Identification (RFID), infrared data association (IrDA), Ultra Wideband (UWB), zigbeeTMAnd so on.
The location information module 115 is a module for checking or acquiring location information of the mobile terminal. A typical example of the location information module is a GPS (global positioning system). According to the current technology, the GPS module 115 calculates distance information and accurate time information from three or more satellites and applies triangulation to the calculated information, thereby accurately calculating three-dimensional current location information according to longitude, latitude, and altitude. Currently, a method for calculating position and time information uses three satellites and corrects an error of the calculated position and time information by using another satellite. In addition, the GPS module 115 can calculate speed information by continuously calculating current position information in real time.
The a/V input unit 120 is used to receive an audio or video signal. The a/V input unit 120 may include a camera 121 and a microphone 1220, and the camera 121 processes image data of still pictures or video obtained by an image capturing apparatus in a video capturing mode or an image capturing mode. The processed image frames may be displayed on the display unit 151. The image frames processed by the camera 121 may be stored in the memory 160 (or other storage medium) or transmitted via the wireless communication unit 110, and two or more cameras 1210 may be provided according to the construction of the mobile terminal. The microphone 122 may receive sounds (audio data) via the microphone in a phone call mode, a recording mode, a voice recognition mode, or the like, and can process such sounds into audio data. The processed audio (voice) data may be converted into a format output transmittable to a mobile communication base station via the mobile communication module 112 in case of a phone call mode. The microphone 122 may implement various types of noise cancellation (or suppression) algorithms to cancel (or suppress) noise or interference generated in the course of receiving and transmitting audio signals.
The user input unit 130 may generate key input data according to a command input by a user to control various operations of the mobile terminal. The user input unit 130 allows a user to input various types of information, and may include a keyboard, dome sheet, touch pad (e.g., a touch-sensitive member that detects changes in resistance, pressure, capacitance, and the like due to being touched), scroll wheel, joystick, and the like. In particular, when the touch pad is superimposed on the display unit 151 in the form of a layer, a touch screen may be formed.
The interface unit 170 serves as an interface through which at least one external device is connected to the mobile terminal 100. For example, the external device may include a wired or wireless headset port, an external power supply (or battery charger) port, a wired or wireless data port, a memory card port, a port for connecting a device having an identification module, an audio input/output (I/O) port, a video I/O port, an earphone port, and the like. The identification module may store various information for authenticating a user using the mobile terminal 100 and may include a User Identity Module (UIM), a Subscriber Identity Module (SIM), a Universal Subscriber Identity Module (USIM), and the like. In addition, a device having an identification module (hereinafter, referred to as an "identification device") may take the form of a smart card, and thus, the identification device may be connected with the mobile terminal 100 via a port or other connection means. The interface unit 170 may be used to receive input (e.g., data information, power, etc.) from an external device and transmit the received input to one or more elements within the mobile terminal 100 or may be used to transmit data between the mobile terminal and the external device.
In addition, when the mobile terminal 100 is connected with an external cradle, the interface unit 170 may serve as a path through which power is supplied from the cradle to the mobile terminal 100 or may serve as a path through which various command signals input from the cradle are transmitted to the mobile terminal. Various command signals or power input from the cradle may be used as signals for recognizing whether the mobile terminal is accurately mounted on the cradle. The output unit 150 is configured to provide output signals (e.g., audio signals, video signals, alarm signals, vibration signals, etc.) in a visual, audio, and/or tactile manner. The output unit 150 may include a display unit 151, an audio output module 152, an alarm unit 153, and the like.
The display unit 151 may display information processed in the mobile terminal 100. For example, when the mobile terminal 100 is in a phone call mode, the display unit 151 may display a User Interface (UI) or a Graphical User Interface (GUI) related to a call or other communication (e.g., text messaging, multimedia file downloading, etc.). When the mobile terminal 100 is in a video call mode or an image capturing mode, the display unit 151 may display a captured image and/or a received image, a UI or GUI showing a video or an image and related functions, and the like.
Meanwhile, when the display unit 151 and the touch pad are overlapped with each other in the form of a layer to form a touch screen, the display unit 151 may serve as an input device and an output device. The display unit 151 may include at least one of a Liquid Crystal Display (LCD), a thin film transistor LCD (TFT-LCD), an Organic Light Emitting Diode (OLED) display, a flexible display, a three-dimensional (3D) display, and the like. Some of these displays may be configured to be transparent to allow a user to view from the outside, which may be referred to as transparent displays, and a typical transparent display may be, for example, a TOLED (transparent organic light emitting diode) display or the like. Depending on the particular desired implementation, the mobile terminal 100 may include two or more display units (or other display devices), for example, the mobile terminal may include an external display unit (not shown) and an internal display unit (not shown). The touch screen may be used to detect a touch input pressure as well as a touch input position and a touch input area.
The audio output module 152 may convert audio data received by the wireless communication unit 110 or stored in the memory 160 into an audio signal and output as sound when the mobile terminal is in a call signal reception mode, a call mode, a recording mode, a voice recognition mode, a broadcast reception mode, or the like. Also, the audio output module 152 may provide audio output related to a specific function performed by the mobile terminal 100 (e.g., a call signal reception sound, a message reception sound, etc.). The audio output module 152 may include a speaker, a buzzer, and the like.
The alarm unit 153 may provide an output to notify the mobile terminal 100 of the occurrence of an event. Typical events may include call reception, message reception, key signal input, touch input, and the like. In addition to audio or video output, the alarm unit 153 may provide output in different ways to notify the occurrence of an event. For example, the alarm unit 153 may provide an output in the form of vibration, and when a call, a message, or some other incoming communication (incomingmunication) is received, the alarm unit 153 may provide a tactile output (i.e., vibration) to inform the user thereof. By providing such a tactile output, the user can recognize the occurrence of various events even when the user's mobile phone is in the user's pocket. The alarm unit 153 may also provide an output notifying the occurrence of an event via the display unit 151 or the audio output module 152.
The memory 160 may store software programs and the like for processing and controlling operations performed by the controller 180, or may temporarily store data (e.g., a phonebook, messages, still images, videos, and the like) that has been or will be output. Also, the memory 160 may store data regarding various ways of vibration and audio signals output when a touch is applied to the touch screen.
The memory 160 may include at least one type of storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. Also, the mobile terminal 100 may cooperate with a network storage device that performs a storage function of the memory 160 through a network connection.
The controller 180 generally controls the overall operation of the mobile terminal. For example, the controller 180 performs control and processing related to voice calls, data communications, video calls, and the like.
The power supply unit 190 receives external power or internal power and provides appropriate power required to operate various elements and components under the control of the controller 180.
The various embodiments described herein may be implemented in a computer-readable medium using, for example, computer software, hardware, or any combination thereof. For a hardware implementation, the embodiments described herein may be implemented using at least one of an Application Specific Integrated Circuit (ASIC), a Digital Signal Processor (DSP), a Digital Signal Processing Device (DSPD), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a processor, a controller, a microcontroller, a microprocessor, an electronic unit designed to perform the functions described herein, and in some cases, such embodiments may be implemented in the controller 180. For a software implementation, the implementation such as a process or a function may be implemented with a separate software module that allows performing at least one function or operation. The software codes may be implemented by software applications (or programs) written in any suitable programming language, which may be stored in the memory 160 and executed by the controller 180.
Up to this point, mobile terminals have been described in terms of their functionality. Hereinafter, a slide-type mobile terminal among various types of mobile terminals, such as a folder-type, bar-type, swing-type, slide-type mobile terminal, and the like, will be described as an example for the sake of brevity. Accordingly, the present invention can be applied to any type of mobile terminal, and is not limited to a slide type mobile terminal.
The mobile terminal 100 as shown in fig. 1 may be configured to operate with communication systems such as wired and wireless communication systems and satellite-based communication systems that transmit data via frames or packets.
A communication system in which a mobile terminal according to the present invention is operable will now be described with reference to fig. 2.
Such communication systems may use different air interfaces and/or physical layers. For example, the air interface used by the communication system includes, for example, Frequency Division Multiple Access (FDMA), Time Division Multiple Access (TDMA), Code Division Multiple Access (CDMA), and Universal Mobile Telecommunications System (UMTS) (in particular, Long Term Evolution (LTE)), global system for mobile communications (GSM), and the like. By way of non-limiting example, the following description relates to a CDMA communication system, but such teachings are equally applicable to other types of systems.
Referring to fig. 2, the CDMA wireless communication system may include a plurality of mobile terminals 100, a plurality of Base Stations (BSs) 270, Base Station Controllers (BSCs) 275, and a Mobile Switching Center (MSC) 280. The MSC280 is configured to interface with a Public Switched Telephone Network (PSTN) 290. The MSC280 is also configured to interface with a BSC275, which may be coupled to the base station 270 via a backhaul. The backhaul may be constructed according to any of several known interfaces including, for example, E1/T1, ATM, IP, PPP, frame Relay, HDSL, ADSL, or xDSL. It will be understood that a system as shown in fig. 2 may include multiple BSCs 2750.
Each BS270 may serve one or more sectors (or regions), each sector covered by a multi-directional antenna or an antenna pointing in a particular direction being radially distant from the BS 270. Alternatively, each partition may be covered by two or more antennas for diversity reception. Each BS270 may be configured to support multiple frequency allocations, with each frequency allocation having a particular frequency spectrum (e.g., 1.25MHz,5MHz, etc.).
The intersection of partitions with frequency allocations may be referred to as a CDMA channel. The BS270 may also be referred to as a Base Transceiver Subsystem (BTS) or other equivalent terminology. In such a case, the term "base station" may be used to generically refer to a single BSC275 and at least one BS 270. The base stations may also be referred to as "cells". Alternatively, each sector of a particular BS270 may be referred to as a plurality of cell sites.
As shown in fig. 2, a Broadcast Transmitter (BT)295 transmits a broadcast signal to the mobile terminal 100 operating within the system. A broadcast receiving module 111 as shown in fig. 1 is provided at the mobile terminal 100 to receive a broadcast signal transmitted by the BT 295. In fig. 2, several Global Positioning System (GPS) satellites 300 are shown. The satellite 300 assists in locating at least one of the plurality of mobile terminals 100.
In fig. 2, a plurality of satellites 300 are depicted, but it is understood that useful positioning information may be obtained with any number of satellites. The GPS module 115 as shown in fig. 1 is generally configured to cooperate with satellites 300 to obtain desired positioning information. Other techniques that can track the location of the mobile terminal may be used instead of or in addition to GPS tracking techniques. In addition, at least one GPS satellite 300 may selectively or additionally process satellite DMB transmission.
As a typical operation of the wireless communication system, the BS270 receives reverse link signals from various mobile terminals 100. The mobile terminal 100 is generally engaged in conversations, messaging, and other types of communications. Each reverse link signal received by a particular base station 270 is processed within the particular BS 270. The obtained data is forwarded to the associated BSC 275. The BSC provides call resource allocation and mobility management functions including coordination of soft handoff procedures between BSs 270. The BSCs 275 also route the received data to the MSC280, which provides additional routing services for interfacing with the PSTN 290. Similarly, the PSTN290 interfaces with the MSC280, the MSC interfaces with the BSCs 275, and the BSCs 275 accordingly control the BS270 to transmit forward link signals to the mobile terminal 100.
Based on the above mobile terminal hardware structure and communication system, the present invention provides various embodiments of the method.
As shown in fig. 3, a first embodiment of the present invention provides an application authority control apparatus, including:
and the application monitoring module 310 is configured to monitor an application installed on the terminal. In this embodiment, the monitor registers to the system package manager module when the terminal system is started, and monitors application installation of the mobile terminal.
A method parsing module 320 for parsing a plurality of methods called from the terminal by the application request. In this embodiment, the methods in the terminal system are used to implement corresponding functions, and the application calls the methods to use by acquiring corresponding rights. When monitoring the installation of the application, analyzing the method call of the application, specifically, registering a method tree analysis listener and monitoring a method tree analysis based on a tree (binary tree) theory; when a user installs a new application, calling method tree analysis after intercepting the application installation.
The method management module 330 is configured to determine whether a background method that cannot be associated with the user interface layer of the terminal through a call relationship exists according to the call relationship corresponding to the plurality of methods. In this embodiment, when the method tree is generated, whether the method tree is an authority island is identified: analyzing the method called by the application, and identifying a permission island; if the authority is not the authority island, directly endowing corresponding authority; the corresponding rights are prohibited from being granted. For the present embodiment, the "authority islands" mentioned are explained as follows:
as shown in fig. 4, the binary tree formed in this embodiment is based on the method call relationship and is divided into two types: the method tree and the non-UI background method tree are called directly from a UI (user interface) layer, and it can be seen that the methods (M11, M12, M21, M22, M31 and M32) in the former tree are connected with the UI layer through a calling relation (represented by a straight line), that is, a direct or indirect calling relation exists, and the methods (M13, M23, M24 and M33) in the latter tree cannot be connected with the UI layer through the calling relation, wherein the latter is called as an authority island, which is a high-incidence area where authority hiding 'malicious' applications cannot be observed and operated by users, and the application can hide and collect the privacy information of the users silently.
And the right management module 340 is configured to prohibit the application from acquiring the right for calling the background method when the determination result is yes. In the present embodiment, the corresponding authority of the application is granted/disabled according to the call request information.
According to the technical scheme of the embodiment, the installation of the application is monitored in real time, the tree is automatically analyzed by using a tree theory, the authority island is intelligently identified, and corresponding authority is endowed/forbidden. The method avoids the application of 'malicious' application permission to steal the privacy of the user, reduces the intention of the user for blindly guessing the application of certain permission, intelligently closes the 'malicious' permission, prevents privacy information from being leaked, and accordingly improves the safety of the mobile terminal of the user.
As shown in fig. 5, a second embodiment of the present invention provides an application authority control apparatus, including:
and an application monitoring module 510, configured to register a monitor in a framework layer of the terminal to monitor the application for installation. In this embodiment, the application installation listener is registered to an application manager of the system in the framework layer, and application installation is monitored in real time. Further, a method tree parse listener may be registered, listening for method tree parse.
The method parsing module 520 is configured to parse the plurality of methods according to the user interface registration information recorded in the configuration file corresponding to the plurality of methods.
The method management module 530 is configured to determine whether a background method that cannot be associated with the user interface layer of the terminal through a call relationship exists according to the call relationship corresponding to the plurality of methods.
And the exception module 540 is configured to determine whether the permission belongs to a preset exception permission when the determination result is yes.
And the right management module 550 prohibits the application from acquiring the right if the judgment result is negative. In the embodiment, whether the permission is given is queried based on the exceptional permission, if yes, the permission is given, otherwise, the permission is forbidden.
Through the technical scheme of the embodiment, after the permission island is identified, the permission island is not forbidden all at once, reasonable background service is to be endowed with the permission, and at the moment, the user can add the permission island to the exceptional permission to allow the permission to be endowed; otherwise, the rights are disabled. Here, the default is to disable the rights, and only after the user knows the security here, it needs to actively add it to the exceptional rights, and the application flow of the technical solution of this embodiment is shown in fig. 6.
Further, in another embodiment, a type module may be used to replace the exception module, where the type module is used to determine whether the application needs to call the method according to the type of the application, and when the determination result is negative, the permission management module prohibits the application from acquiring the permission. For example, if an application belongs to a meal ordering application, the application of the type has a requirement for making a call, and a corresponding right can be given to the application to make a phone call; and for certain application belonging to the notepad class, if the application is judged to have no networking need, the networking authority is forbidden, so that the network traffic is prevented from being consumed under the condition that the user is unconscious.
As shown in fig. 6, a third embodiment of the present invention provides an application authority control method, including:
and step 610, monitoring the application installed on the terminal. In this embodiment, the monitor registers to the system package manager module when the terminal system is started, and monitors application installation of the mobile terminal.
In step 620, the plurality of methods called from the terminal by the application request are parsed. In this embodiment, the methods in the terminal system are used to implement corresponding functions, and the application calls the methods to use by acquiring corresponding rights. When monitoring the installation of the application, analyzing the method call of the application, specifically, registering a method tree analysis listener and monitoring a method tree analysis based on a tree (binary tree) theory; when a user installs a new application, calling method tree analysis after intercepting the application installation.
Step 630, according to the call relations corresponding to the methods, determining whether there is a background method that cannot be associated with the user interface layer of the terminal through the call relations. In this embodiment, when the method tree is generated, whether the method tree is an authority island is identified: analyzing the method called by the application, and identifying a permission island; if the authority is not the authority island, directly endowing corresponding authority; the corresponding rights are prohibited from being granted. For the present embodiment, the "authority islands" mentioned are explained as follows:
as shown in fig. 4, the binary tree formed in this embodiment is based on the method call relationship and is divided into two types: the method tree and the non-UI background method tree are called directly from a UI (user interface) layer, and it can be seen that the methods (M11, M12, M21, M22, M31 and M32) in the former tree are connected with the UI layer through a calling relation (represented by a straight line), that is, a direct or indirect calling relation exists, and the methods (M13, M23, M24 and M33) in the latter tree cannot be connected with the UI layer through the calling relation, wherein the latter is called as an authority island, which is a high-incidence area where authority hiding 'malicious' applications cannot be observed and operated by users, and the application can hide and collect the privacy information of the users silently.
And step 640, prohibiting the application from acquiring the authority for calling the background method when the judgment result is yes. In the present embodiment, the corresponding authority of the application is granted/disabled according to the call request information.
According to the technical scheme of the embodiment, the installation of the application is monitored in real time, the tree is automatically analyzed by using a tree theory, the authority island is intelligently identified, and corresponding authority is endowed/forbidden. The method avoids the application of 'malicious' application permission to steal the privacy of the user, reduces the intention of the user for blindly guessing the application of certain permission, intelligently closes the 'malicious' permission, prevents privacy information from being leaked, and accordingly improves the safety of the mobile terminal of the user.
As shown in fig. 7, a fourth embodiment of the present invention provides an application authority control method, including:
step 710, registering a listener in a framework layer of the terminal to listen to the application for installation. In this embodiment, the application installation listener is registered to an application manager of the system in the framework layer, and application installation is monitored in real time. Further, a method tree parse listener may be registered, listening for method tree parse.
Step 720, analyzing the plurality of methods according to the user interface registration information recorded in the configuration files corresponding to the plurality of methods.
And step 730, judging whether a background method which cannot be associated with the user interface layer of the terminal through the calling relation exists according to the calling relations corresponding to the methods.
And 740, judging whether the authority belongs to the preset exception authority or not if the judgment result is yes.
And step 750, if the judgment result is negative, the authority management module forbids the application to acquire the authority. In the embodiment, whether the permission is given is queried based on the exceptional permission, if yes, the permission is given, otherwise, the permission is forbidden.
Through the technical scheme of the embodiment, after the permission island is identified, the permission island is not forbidden all at once, reasonable background service is to be endowed with the permission, and at the moment, the user can add the permission island to the exceptional permission to allow the permission to be endowed; otherwise, the rights are disabled. Here, the default is to disable the rights, and only after the user knows the security here, it needs to actively add it to the exceptional rights, and the application flow of the technical solution of this embodiment is shown in fig. 6.
Further, in another embodiment, a type module may be used to replace the exception module, where the type module is used to determine whether the application needs to call the method according to the type of the application, and when the determination result is negative, the permission management module prohibits the application from acquiring the permission. For example, if an application belongs to a meal ordering application, the application of the type has a requirement for making a call, and a corresponding right can be given to the application to make a phone call; and for certain application belonging to the notepad class, if the application is judged to have no networking need, the networking authority is forbidden, so that the network traffic is prevented from being consumed under the condition that the user is unconscious.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. An application authority control apparatus, comprising:
the application monitoring module is used for monitoring the application installed on the terminal;
the method analysis module is used for analyzing a plurality of methods called by the application request from the terminal;
the method management module is used for judging whether a background method which cannot be associated with a user interface layer of the terminal through the calling relation exists or not according to the calling relation corresponding to the methods;
and the authority management module is used for forbidding the application to acquire the authority for calling the background method when the judgment result is yes.
2. The apparatus of claim 1,
and the application monitoring module registers a monitor in a framework layer of the terminal to monitor the application for installation.
3. The apparatus of claim 1,
and the method analysis module analyzes the methods according to the user interface registration information recorded in the configuration files corresponding to the methods.
4. The apparatus of claim 1, further comprising:
and the exception module is used for judging whether the authority belongs to the preset exception authority or not, and when the judgment result is negative, the authority management module forbids the application to acquire the authority.
5. The apparatus of claim 1, further comprising:
and the type module is used for judging whether the application needs to call the method or not according to the type of the application, and when the judgment result is negative, the authority management module prohibits the application from acquiring the authority.
6. An application authority control method is characterized by comprising the following steps:
monitoring an application installed on a terminal;
analyzing a plurality of methods called by the application request from the terminal;
judging whether a background method which cannot be associated with a user interface layer of the terminal through the calling relation exists or not according to the calling relation corresponding to the methods;
and when the judgment result is yes, prohibiting the application from acquiring the authority for calling the background method.
7. The method according to claim 6, wherein monitoring applications installed on the terminal specifically includes:
and registering a monitor on a framework layer of the terminal to monitor the application for installation.
8. The method according to claim 6, wherein parsing the plurality of methods called by the application request from the terminal specifically comprises:
and analyzing the multiple methods according to the user interface registration information recorded in the configuration files corresponding to the multiple methods.
9. The method of claim 6, further comprising, prior to prohibiting the application from obtaining rights for invoking the background method:
and judging whether the authority belongs to a preset exceptional authority, and if not, forbidding the application to acquire the authority.
10. The method of claim 6, further comprising, prior to prohibiting the application from obtaining rights for invoking the background method:
and judging whether the application needs to call the method or not according to the type of the application, and if not, forbidding the application to acquire the authority.
CN201610809036.3A 2016-09-08 2016-09-08 Application authority control device and method Active CN106407797B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610809036.3A CN106407797B (en) 2016-09-08 2016-09-08 Application authority control device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610809036.3A CN106407797B (en) 2016-09-08 2016-09-08 Application authority control device and method

Publications (2)

Publication Number Publication Date
CN106407797A CN106407797A (en) 2017-02-15
CN106407797B true CN106407797B (en) 2020-01-07

Family

ID=57998654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610809036.3A Active CN106407797B (en) 2016-09-08 2016-09-08 Application authority control device and method

Country Status (1)

Country Link
CN (1) CN106407797B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109344611B (en) * 2018-09-06 2024-02-27 天翼安全科技有限公司 Application access control method, terminal equipment and medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101650659A (en) * 2009-09-15 2010-02-17 福建升腾资讯有限公司 Device and method for automatically installing and saving Activex control in XPe operating system
CN103052068A (en) * 2013-01-17 2013-04-17 工业和信息化部电信传输研究所 Intelligent terminal security protection testing method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100583783C (en) * 2007-11-06 2010-01-20 北京航空航天大学 Integration tool for telecommunication area inheritance system based on configuration policy
CN101902402A (en) * 2010-07-21 2010-12-01 中兴通讯股份有限公司 Method for managing user right and device thereof
US20130111586A1 (en) * 2011-10-27 2013-05-02 Warren Jackson Computing security mechanism
CN103268438B (en) * 2013-02-04 2016-01-06 华为技术有限公司 Based on Android right management method and the system of call chain
CN103905651A (en) * 2014-04-30 2014-07-02 北京邮电大学 Method and system for application permission management in intelligent terminal
CN104992081B (en) * 2015-06-24 2018-02-27 华中科技大学 A kind of safe Enhancement Method of Android application programs third party code

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101650659A (en) * 2009-09-15 2010-02-17 福建升腾资讯有限公司 Device and method for automatically installing and saving Activex control in XPe operating system
CN103052068A (en) * 2013-01-17 2013-04-17 工业和信息化部电信传输研究所 Intelligent terminal security protection testing method and system

Also Published As

Publication number Publication date
CN106407797A (en) 2017-02-15

Similar Documents

Publication Publication Date Title
CN106844029B (en) Self-management Android process freezing and unfreezing device and method
CN106304037B (en) Virtual SIM card management method and device
CN105262819B (en) A kind of mobile terminal and its method for realizing push
CN106488420B (en) Incoming call processing method, device and system and readable storage medium
CN106778123B (en) Mobile terminal and hardware equipment authority management method thereof
CN106095464B (en) A kind of method and device of the seamless operation of application program
CN106534560B (en) Mobile terminal control device and method
CN104935577B (en) Authentication method, smart card cloud, the cloud APP, apparatus and system
CN106792539B (en) Alarm method and device
CN106484534B (en) Control method and control device for displayed mobile terminal
CN106371704B (en) Application shortcut layout method of screen locking interface and terminal
CN106231657B (en) Method and device for switching power saving modes of double-screen mobile terminal
CN106412877B (en) Activation method and activation device for mobile terminal SIM card
CN106228043B (en) Application icon hidden method and terminal
CN106385494B (en) Method and device for acquiring dynamic home page of mobile terminal application
CN105357188B (en) A kind of method that realizing WIFI connections, server and mobile terminal
CN109041197B (en) Communication method of terminal, terminal and computer readable storage medium
CN106407797B (en) Application authority control device and method
CN106658607B (en) Resource allocation device and method
CN106231140B (en) Mobile terminal fota upgrade fault-tolerant device and method
CN106453854B (en) Application sharing device and method
CN106331324B (en) Screen-off control method and device for mobile terminal
CN105100607B (en) A kind of filming apparatus and method
CN106446711B (en) Information processing method and electronic equipment
CN106657642B (en) A kind of information processing method and mobile terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant