CN111953637A

CN111953637A - Application service method and device

Info

Publication number: CN111953637A
Application number: CN201910411135.XA
Authority: CN
Inventors: 谢淼; 彭艺; 刘家豪; 李楠; 王超; 王寅
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2019-05-16
Filing date: 2019-05-16
Publication date: 2020-11-17
Anticipated expiration: 2039-05-16
Also published as: CN111953637B; WO2020228564A1

Abstract

The application provides an application service method, which comprises the following steps: in the rich execution environment, judging whether the registered service exists in the target application, if so, acquiring a service request of the target application, acquiring current identification information of the target application according to the service request, and acquiring current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, and if so, processing according to the service request of the target application. By adopting the application service method, the safety of the user using the target application service is ensured by comparing whether the current information of the target application is consistent with the initial information during registration and processing the service request when the current information of the target application is consistent with the initial information during registration.

Description

Application service method and device

Technical Field

The present application relates to the field of application services, and in particular, to an application service method and apparatus.

Background

In recent years, there are more and more artificial intelligence services in terminal devices, and these artificial intelligence services generally need to have very good personalized function services to get the favor of consumers. In this regard, manufacturers of terminal devices or internet-developed enterprises may wish to provide personalized services at different levels of the terminal device (including operating system level, framework level, application level, etc.).

Most personalized services of terminal equipment in the prior art adopt the following design ideas: firstly, feedback data of terminal equipment used by a user are obtained, then the feedback data are uploaded to a background server, and the background server carries out model building training according to the received feedback data; then, making a decision on the feedback data according to the trained model; and finally, feeding back the decision result to the terminal equipment so as to facilitate the user to receive the decision result.

Firstly, most of the services need to acquire the use and operation logs of users and transmit the use and operation logs back to a background server (not limited to a cloud server), then a cloud personalized model is built, and the use and operation logs are pushed back to terminal equipment in a mode of upgrading a software package or an application program, so that the personalized service function is upgraded. However, such an approach is not only costly, but also somewhat infringing the privacy of the user. Even if the artificial intelligence chip is carried on the terminal equipment, if the personalized service scheme design has defects, the chip is easy to be utilized by hackers, so that the functions of the terminal equipment cannot be used, and even hidden dangers of property and privacy data loss and leakage exist.

Disclosure of Invention

The application provides an application service method to solve the problems of insecurity and high transmission cost in the existing application data transmission process. The application also relates to an application service device.

The application provides an application service method, which comprises the following steps:

in a rich execution environment, judging whether the target application has a registered service, if so, acquiring a service request of the target application, acquiring current identification information of the target application according to the service request, and acquiring current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered;

if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment, and if so, processing according to the service request of the target application.

Optionally, the method further includes:

in a rich execution environment, acquiring a service registration request of a target application, acquiring initial identification information of the target application according to the service registration request, and acquiring initial signature information of the target application through the initial identification information;

and in a trusted execution environment, generating a service identifier of a service needing to be registered according to the initial signature information and the initial identification information, and returning the service identifier to the target application.

Optionally, the obtaining initial identification information of the target application according to the service registration request includes:

acquiring identification information of the target application at a permission layer higher than the target application;

and taking the identification information as initial identification information of the target application.

Optionally, the obtaining initial signature information of the target application through the initial identification information includes:

acquiring a code segment and a code segment position of the target application according to the initial identification information;

and obtaining initial signature information of the target application according to the code segment and the code segment position.

Optionally, the obtaining initial signature information of the target application according to the code segment and the code segment location includes:

splicing the code segments with the positions of the code segments to obtain spliced code information;

acquiring signature information of the code segments according to the spliced code information;

and taking the signature information of the code segment as initial signature information of the target application.

Optionally, the obtaining the code segment and the code segment position of the target application according to the initial identification information includes:

determining the target application according to the initial identification information;

at least one code segment is selected from the code of the target application as a code segment of the target application.

Optionally, the method further includes:

judging whether the target application has the permission to acquire a code segment;

the acquiring the code segment of the target application through the initial identification information comprises:

and if the target application is determined to have the permission of acquiring the code segment, acquiring the code segment of the target application through the initial identification information.

Optionally, the generating, in the trusted execution environment, a service identifier of a service to be registered according to the initial signature information and the initial identification information includes:

storing the initial signature information and the initial identification information in a database of the trusted execution environment;

and generating a service identifier of the service needing to be registered, wherein the service identifier corresponds to the initial signature information and the initial identification information in the trusted execution environment.

Optionally, the returning the service identifier to the target application includes:

storing the initial identification information and the initial signature information of the registered target application by taking the service identifier as an index in the rich execution environment; returning the service identification stored in the rich execution environment to the target application.

Optionally, the service registration request includes at least one of the following information:

name information of a service to be registered in the target application;

information whether data encryption is started for the service needing to be registered;

data encryption algorithm information for the service to be registered;

and decrypting the public key information aiming at the data of the service needing to be registered.

Optionally, the initial identification information of the target application at least includes a unique identifier of the target application, where the unique identifier is a unique identifier of a kernel authority layer of the target application.

Optionally, the determining whether the registered service exists in the target application includes:

obtaining information of all services of the target application;

and judging whether all the services of the target application have service identifications.

Optionally, the determining whether the current identification information of the target application is consistent with the initial identification information of the target application when registering includes:

acquiring identification information of the target application at a permission layer higher than the target application, and taking the identification information as the current identification information of the target application;

acquiring initial identification information when the target application is registered;

and judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

Optionally, the determining, in the trusted execution environment, whether current signature information of the target application is consistent with initial signature information of the target application when the target application is registered includes:

acquiring current signature information of the target application according to the current identification information of the target application;

acquiring initial signature information when the target application is registered;

and judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered.

Optionally, the obtaining current signature information of the target application according to the current identification information of the target application includes:

acquiring a code segment and a code segment position of the target application according to the current identification information;

and obtaining the current signature information of the target application according to the code segment and the code segment position.

Optionally, the obtaining current signature information of the target application according to the code segment and the code segment location includes:

and taking the signature information of the code segment as the current signature information of the target application.

Optionally, the obtaining the code segment and the code segment position of the target application according to the current identification information includes:

determining the target application according to the current identification information;

Optionally, the method further includes:

the acquiring the code segment of the target application through the current identification information includes:

and if the target application is determined to have the permission of acquiring the code segment, acquiring the code segment of the target application through the current identification information.

Optionally, the obtaining the service request of the target application includes:

in a rich execution environment, obtaining a feedback data sample of a target application; taking the feedback data sample of the obtained target application as a service request of the obtained target application;

the processing according to the service request of the target application comprises: in a trusted execution environment, training a decision model for obtaining a service decision result according to feedback data of a target application according to the feedback data sample; and taking the decision model of the obtained service decision result as a processing result.

Optionally, the method further includes:

in the rich execution environment, obtaining feedback data of the target application;

and in the trusted execution environment, obtaining a service decision result aiming at the feedback data of the target application according to the feedback data of the target application and the decision model.

Optionally, the method further includes:

storing, in the trusted execution environment, feedback data of the target application to a database;

judging whether the feedback data are collected completely, and if so, deleting all the feedback data of the database;

and obtaining a service decision result aiming at the feedback data of the target application according to the feedback data of the target application and the decision model.

Optionally, the method further includes:

judging whether the feedback data is encrypted, if so, decrypting the feedback data;

the obtaining a service decision result for the feedback data of the target application according to the feedback data of the target application and the decision model includes:

and obtaining a service decision result aiming at the feedback data of the target application according to the decrypted feedback data and the decision model.

in a rich execution environment, obtaining feedback data of a target application, obtaining a candidate object according to the feedback data, and obtaining a decision request of the target application; taking the decision request for acquiring the target application as a service request of the acquired target application;

the processing according to the service request of the target application comprises: in a trusted execution environment, obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and obtaining a decision result according to the candidate object and the decision model; and taking the obtained decision result as a processing result.

Optionally, the obtaining a candidate object according to the feedback data includes:

acquiring an object set corresponding to the feedback data;

and obtaining a screening condition aiming at the feedback data, screening the objects meeting the screening condition in the object set, and taking the objects meeting the screening condition as candidate objects.

Optionally, the obtaining, according to the decision request of the target application, a decision model for obtaining a decision result according to the candidate object includes:

acquiring a service identifier contained in the decision request;

and obtaining the decision model by taking the service identification as an index.

Optionally, the obtaining a decision result according to the candidate object and the decision model includes:

scoring each element of the candidate object according to the decision model to obtain a scoring result;

sorting each element according to the grading result to obtain a sorting result;

and taking the scoring result and the sorting result as decision results.

Correspondingly, the application also provides an application service device, which comprises:

the service judging unit is used for judging whether the registered service exists in the target application in a rich execution environment, if so, acquiring a service request of the target application, acquiring the current identification information of the target application according to the service request, and acquiring the current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment;

and the service processing unit is used for processing according to the service request of the target application if the judgment result is yes.

The present application further provides a terminal, including:

the service judging unit is used for judging whether a registered service exists in a target application in a rich execution environment in the terminal, if so, acquiring a service request of the target application, acquiring current identification information of the target application according to the service request, and acquiring current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment in the terminal;

Compared with the prior art, the method has the following advantages:

the application provides an application service method, which comprises the following steps: in the rich execution environment, judging whether the registered service exists in the target application, if so, acquiring a service request of the target application, acquiring current identification information of the target application according to the service request, and acquiring current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, and if so, processing according to the service request of the target application. By adopting the application service method, whether the current information of the target application is consistent with the initial information during registration is compared, and the service request is processed when the current information of the target application is consistent with the initial information during registration, so that safety guarantee is provided for the target application using the service of the application, the service of the target application is prevented from being tampered in the data transmission process, and the safety of the user using the service of the target application is ensured.

In the further improved technical solution of the present application, before the application service of the present application is used, the application needs to be registered, and when the service of the target application of the present application is registered, the initial identification information of the target application is obtained at a higher authority level than the target application, so that the possibility that data is tampered when the data is transmitted by using the service of the target application is further reduced.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.

Fig. 1 is a flowchart of an application service method according to a first embodiment of the present application.

Fig. 2 is a flowchart of a service registration method of an application according to a second embodiment of the present application.

Fig. 3 is a flowchart of a method for processing feedback data for a target application according to a third embodiment of the present application.

Fig. 4 is a flowchart of an online decision method according to a fourth embodiment of the present application.

Fig. 5 is a flowchart of a service logout method of an application according to a fifth embodiment of the present application.

Fig. 6 is a schematic diagram of an application service apparatus according to a sixth embodiment of the present application.

Fig. 7 is a schematic diagram of a terminal according to an eighth embodiment of the present application.

Fig. 8 is a component diagram of a system for applying a service according to a ninth embodiment of the present application.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. This application is capable of implementation in many different ways than those herein set forth and of similar import by those skilled in the art without departing from the spirit of this application and is therefore not limited to the specific implementations disclosed below.

The application provides an application service method and device, and the following are specific embodiments:

fig. 1 is a flowchart of an embodiment of an application service method according to a first embodiment of the present application. The method comprises the following steps.

Step S101: in the rich execution environment, judging whether the registered service exists in the target application, if so, acquiring a service request of the target application, acquiring current identification information of the target application according to the service request, and acquiring current signature information of the target application through the current identification information; and judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

Step S102: if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, and if so, processing according to the service request of the target application.

The application service method of the present application includes a service registration process, a feedback data processing process, and an online decision process of a target application, and in the following description, three processes are described one by one in three embodiments, respectively.

Fig. 2 is a flowchart illustrating an embodiment of an application service registration method according to a second embodiment of the present application. The method comprises the following steps.

Step S201: in the rich execution environment, a service registration request of a target application is obtained, initial identification information of the target application is obtained according to the service registration request, and initial signature information of the target application is obtained through the initial identification information.

When the service of the application is registered by using the service registration method of the application of the embodiment, a service registration request of a target application is first obtained, where the service registration request includes at least one of the following information: the method comprises the steps of obtaining name information of a service needing to be registered in a target application, information of whether data encryption is started aiming at the service needing to be registered, data encryption algorithm information aiming at the service needing to be registered and data decryption public key information aiming at the service needing to be registered.

Taking the example that one service of the target application is registered by using the method of this embodiment, assuming that the target application is APP1, in practice, the service function of APP1 may be various. Taking a certain service registration as an example, name information of a service to be registered in the target application may be placed in the service registration request, so as to determine which service function of the target application is to be registered with the method of this embodiment. In order to ensure that the risk of tampering the data in the subsequent data transmission process of the target application after the registration by using the method of the embodiment is avoided, information on whether data encryption is started for the service to be registered may also be placed in the service registration request. Likewise, if the information to start data encryption is placed in the service registration request, it is also possible to simultaneously place, in the service registration request, data encryption algorithm information for the service that needs to be registered and data decryption public key information for the service that needs to be registered.

Specifically, the service registration request may be request string information including name information of the above-described service, information on whether data encryption is turned on for the service that needs to be registered, data encryption algorithm information of the service that needs to be registered, and data decryption public key information for the service that needs to be registered. Since the encryption, decryption and the algorithm involved in encryption are well studied in the prior art, they are not described herein again.

And then, acquiring initial identification information of the target application according to the service registration request. Specifically, the obtaining of the initial identification information of the target application may be obtaining the identification information of the target application at a higher authority layer than the target application, and taking the identification information of the higher authority layer than the target application as the initial identification information of the target application. The authority layer higher than the target may be a kernel layer of a system running the target application, or other layers of the system, and it can be understood that the authority layer is higher than the authority layer of the target application, and of course, in this embodiment, the system refers to a system of the present application for registering, deregistering, and serving a service of the target application. It should be noted that the initial identification information of the target application in this part may be a unique identifier of the target application in the system for registering, deregistering and serving the service of the target application, for example, may be a unique identifier of the target application at a kernel authority layer of the system.

After acquiring the identification information of the target application, the initial signature information of the target application is acquired according to the initial identification information, and the initial signature information can be specifically acquired in the following description manner.

First, a code segment and a code segment position of a target application are obtained according to initial identification information.

And then, obtaining initial signature information of the target application according to the code segment and the code segment position. Specifically, as one of the ways of obtaining the initial signature information of the target application according to the code segment and the code segment position, the code segment and the code segment position are spliced to obtain spliced code information, the signature information of the code segment is calculated through a HASH algorithm, and the signature information of the code segment is used as the initial signature information of the target application.

In this embodiment, the initial signature information is used to ensure the security of data during registration and subsequent data processing after registration and logout of the service of the target application, and also to ensure the privacy of the user using the target application, so the initial signature information of the target application needs to be obtained during registration. Here, the initial signature information further secures the service of the target application to use the system of the present application.

In order to acquire the code segment of the target application, when acquiring the code segment and the code segment position of the target application according to the initial identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the initial identification information. For example, when a plurality of applications simultaneously register for a service, assuming that there are three applications to register for the service, and the three applications are APP1, APP2 and APP3 in sequence, there is certain initial identification information for the three applications. Assuming that the initial identification information of the APP1 is a1, the initial identification information of the APP2 is a2, and the initial identification information of the APP3 is A3, when the a1 is obtaining the code segment and the code segment position of the target application, it can be presumed that the code segment and the code segment position of the APP1 are to be obtained here. Similarly, when a2 is obtaining the code segment and the code segment location of the target application, it is presumed that the code segment and the code segment location of APP2 are to be obtained; by analogy, when a3 is obtaining the code segment and code segment location of the target application, it is speculated that the code segment and code segment location of APP3 are to be obtained.

After determining a target application for acquiring the code sections, selecting at least one code section from the code of the target application as the code section of the target application. Of course, when the code segment and the code segment position of the target application are obtained, the code segment for obtaining the target application may be a program segment for randomly obtaining the target application. When a section of program of the target application is acquired, the corresponding position of the code section can be acquired. Since the code segment technology of random access applications is mature, it is not described here.

In this embodiment, before acquiring a code segment of a target application, it is further determined whether the target application has an authority to acquire the code segment; and if the target application is determined to have the authority of acquiring the code segment, acquiring the code segment of the target application through the initial identification information.

Specifically, when registering a service of a target application by using the method of this embodiment, in order to ensure that a code segment of the target application can be acquired, it is necessary to determine whether the target application has an authority to acquire the code segment before acquiring the code segment of the target application. The judgment process here is to ensure that the code segment of the target application is successfully acquired. For example, if it is determined that the execution subject of the registration method of the service in this embodiment determines that the current target application has the authority to acquire the code segment, the code segment of the target application is acquired through the initial identification information; otherwise, the code segment of the target application cannot be acquired.

Step S202: in a trusted execution environment, generating a service identifier of a service to be registered according to initial signature information and initial identification information, and returning the service identifier to the target application.

After the initial signature information and the initial identification information are acquired in step S201, a service identifier of the service to be registered is generated in the trusted execution environment according to the initial signature information and the initial identification information.

Specifically, the manner of generating the service identifier may be as described below.

First, initial signature information and initial identification information of a target application are transmitted into a trusted execution environment. The rich execution environment is mentioned in step S201 of the present embodiment, and the trusted execution environment is referred to in the present step, and both together constitute the operating system for registering the service in the present embodiment. A rich execution environment, typically referred to as an untrusted execution environment, such as the common Android operating system; while a trusted execution environment refers to a specific hardware-isolated execution environment, while a richer execution environment is secure, but has limited storage and computing resources. Therefore, the operating system executing the service registration method in this embodiment combines the two, and a part of the steps are executed in the rich execution environment, and another part of the steps are executed in the trusted execution environment, so as to ensure high security and high operation rate of data transmission.

The transmitting the initial signature information and the initial identification information of the target application to the trusted execution environment may be storing the initial signature information and the initial identification information of the target application to a database in the trusted execution environment; and then generating a service identifier of the service to be registered in the trusted execution environment, namely generating the service identifier of the service to be registered according to the initial signature information and the initial identification information in the database. For example, if the target application is APP1, register the service APP1FUNC1 therein, first obtain the initial identification information of the target application as a1, the initial signature information as B1, and the service identifier generated according to a1 and B1 is D1, then D1 is the service identifier of APP1FUNC 1.

The service identification is then returned to the target application.

After the trusted execution environment generates the service identifier of the target application service, the service identifier needs to be returned to the target application so as to identify the service registered by the target application.

Specifically, one way to return the service identifier to the target application may be: firstly, in a rich execution environment, using a service identifier as an index, and storing initial identification information and initial signature information of a registered target application; the service identification stored in the rich execution environment is then returned to the targeted application.

The storing of the initial identification information and the initial signature information of the registered target application with the service identifier as the index is to establish a relationship between the registered service identifier and the related information of the target application, and then return the service identifier to the target application through the established relationship.

By adopting the service registration method of the application of the embodiment, the service identifier corresponding to the service of the target application can be obtained through the initial identification information and the initial signature information of the target application, so that the security guarantee is provided for the target application using the service of the application, the service of the target application is prevented from being tampered in the data transmission process, and the security of the service of the target application used by a user is ensured.

The second embodiment describes service registration of an application service method, and after registration, the present application further provides a method for processing feedback data for a target application, as shown in fig. 3, which is a flowchart of an embodiment of a method for processing feedback data for a target application service method according to the third embodiment of the present application. The method comprises the following steps.

Step S301: in the rich execution environment, obtaining a feedback data sample of the target application, judging whether the registered service exists in the target application, and if so, judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration.

If the method provided by this embodiment is adopted to process the feedback data of the target application, first, the feedback data sample of the target application is obtained in the rich execution environment, and the feedback data sample is used for training the model, so as to process the feedback data of the target application used by the user.

Before training the model on the feedback data sample, firstly, the service registration judgment is performed on the service of the target application, the judgment process is to ensure the safety of the user data, the judgment of the embodiment is divided into three layers, and the three layers of judgment are sequentially explained in the following description.

The first level of determination determines whether the target application has a registered service.

As one of the ways of determining whether the target application has the registered service, all services of the target application may be obtained first, and then it may be sequentially determined whether all services of the target application have the service identifier.

Since it has been mentioned in the second embodiment that the services successfully registered all have the service identifier in the rich execution environment, the registration situation of the service can be preliminarily determined according to the determination of whether the service having the service identifier exists in the target application. Of course, in the first-level judgment, if there is no registered service identifier in all the services of the target application, the judgment process of the target application is directly exited. And if so, entering the judgment of a second layer, namely judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

And judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration or not by the second-level judgment.

And when the target application is judged to meet the conditions at the first level, the judgment at the second level is entered.

In the second embodiment, it has been mentioned that the service that has successfully registered has the initial identification information in the rich execution environment during the registration process, so that the initial identification information at the time of registering the current target application can be extracted from the rich execution environment when the first-level judgment meets the condition.

Likewise, when determining whether the current identification information of the target application coincides with the initial identification information at the time of registration of the target application, it is also possible to certainly determine the current identification information of the current target application in the rich execution environment according to the current target application. Similar to the way of acquiring the initial identification information in the second embodiment, the current identification information of the current target application may be acquired in the same way, that is, the identification information of the current target application is acquired at a permission layer higher than the current target application, and the identification information is used as the current identification information of the current target application.

After the current identification information and the initial identification information are obtained, whether the current identification information of the target application is consistent with the initial identification information when the target application is registered is judged. For example, the initial identification information when the APP1 registers for service is a1, and if the current identification information is also a1, it is determined that the current identification information of the target application matches the initial identification information when the target application registers; the initial identification information when the APP1 registers the service is A1, and if the current identification information is A₀And 1, judging that the current identification information of the target application is inconsistent with the initial identification information when the target application is registered.

Step S302: and if the current identification information of the target application is consistent with the initial identification information of the target application during registration, judging whether the current signature information of the target application is consistent with the initial signature information of the target application during registration in the trusted execution environment, and if so, training a decision model for obtaining a service decision result according to the feedback data of the target application according to the feedback data sample.

In step S301, if it is determined that the current identification information of the target application is consistent with the initial identification information at the time of registration of the target application, the third-level determination is performed, that is, it is determined whether the current signature information of the target application is consistent with the initial signature information at the time of registration of the target application.

And judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered or not by the third-level judgment.

And when the target application is judged to meet the conditions at the second level, the judgment of the third level is entered.

Similarly, in the second embodiment, it has been mentioned that the service that has successfully registered has the initial signature information in the rich execution environment during the registration process, so that the initial signature information at the time of registering the current target application can be extracted from the rich execution environment when the second level of judgment meets the condition.

When judging whether the current signature information of the target application is consistent with the initial signature information of the target application when the target application is registered in the trusted execution environment, the current signature information of the current target application can be determined in the rich execution environment according to the current identification information of the current target application. Similar to the way of obtaining the initial signature information in the second embodiment, the current signature information of the current target application may be obtained in the same way, that is, according to the current identification information of the target application, the current signature information of the target application is obtained.

As one way to obtain the current signature information of the target application according to the current identification information of the target application, first, a code segment and a code segment position of the target application are obtained according to the current identification information, and then the current signature information of the target application is obtained according to the code segment and the code segment position.

Specifically, one of the ways to obtain the current signature information of the target application according to the code segment and the code segment location may be to splice the code segment and the code segment location, calculate the signature information of the code segment through a HASH algorithm, and use the signature information of the code segment as the current signature information of the target application.

In this embodiment, the current signature information is used to ensure the security of data of the service of the target application during the data processing process, and also to ensure the privacy of the user using the target application, so the current signature information of the target application needs to be obtained during the data processing process. Here, the current signature information further ensures that the service of the target application uses the system of the present application safely.

In order to acquire the code segment of the target application, when acquiring the code segment and the code segment position of the target application according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. For example, when a plurality of applications process data simultaneously, assuming that there are three applications to process data, and the three applications are APP1, APP2 and APP3 in sequence, there is certain current identification information for the three applications. Assuming that the current identification information of the APP1 is a1, the current identification information of the APP2 is a2, and the current identification information of the APP3 is A3, when a1 is obtaining the code segment and the code segment position of the target application, it can be presumed that the code segment and the code segment position of the APP1 are to be obtained here. Similarly, when a2 is obtaining the code segment and the code segment location of the target application, it is presumed that the code segment and the code segment location of APP2 are to be obtained; by analogy, when a3 is obtaining the code segment and code segment location of the target application, it is speculated that the code segment and code segment location of APP3 are to be obtained.

In this embodiment, before acquiring a code segment of a target application, it is further determined whether the target application has an authority to acquire the code segment; and if the target application is determined to have the permission to acquire the code segment, acquiring the code segment of the target application through the current identification information.

Specifically, when data processing is performed after the service of the target application is registered by using the method of the present embodiment, in order to ensure that the code segment of the target application can be acquired, it is necessary to determine whether the target application has the authority to acquire the code segment before acquiring the code segment of the target application. The judgment process here is to ensure that the code segment of the target application is successfully acquired. For example, if the current target application is judged to have the permission to acquire the code segment, acquiring the code segment of the target application through the current identification information; otherwise, the code segment of the target application cannot be acquired.

After the current signature information and the initial signature information during the target application registration are obtained, whether the current signature information of the target application is consistent with the initial signature information during the target application registration is judged in the trusted execution environment. For example, the initial signature information when the APP1 registers for the service is B1, and if the current signature information is also B1, it is determined that the current signature information of the target application is consistent with the initial signature information when the target application registers; the initial signature information when the APP1 registers the service is B1, and if the current signature information is also B₀And 1, judging that the current signature information of the target application is inconsistent with the initial signature information when the target application is registered. It should be noted that this determination is performed in the trusted execution environment, and the signature information acquisition is performed in the rich execution environment. In summary, in the data processing process, the last judgment in the three-level judgment is executed in the trusted execution environment, so as to sufficiently ensure that the data of the target application cannot be tampered in the processing process.

After the three levels are verified to be in accordance with the conditions, namely the target application has the registered service, the current identification information of the target application is consistent with the registered initial identification information, and the current signature information of the target application is consistent with the registered initial signature information, a decision model for obtaining a service decision result according to the feedback data of the target application is trained according to the feedback data sample.

Specifically, as one implementation of training a decision model for obtaining a service decision result according to feedback data of a target application, first, in the trusted execution environment, the feedback data sample is learned in an online processing or batch processing manner. And then, acquiring the decision model after learning, and storing the decision model into the trusted execution environment by taking the service identifier of the target application as an index.

After the decision model is stored in the trusted execution environment, feedback data of the target application is obtained in the rich execution environment, and a service decision result aiming at the feedback data of the target application is obtained according to the feedback data of the target application and the decision model.

When the feedback data is obtained, the feedback data of the target application may be temporarily stored in a database in the trusted execution environment. And then judging whether the feedback data are collected completely, and if so, deleting all the feedback data of the database. Therefore, the used feedback data is deleted in time, on one hand, the storage space can be saved, and on the other hand, the safety of the feedback data can be ensured.

Before processing the feedback data, whether the feedback data is encrypted or not needs to be judged, and if yes, the feedback data is decrypted; and obtaining a service decision result of the feedback data aiming at the target application according to the decrypted feedback data and the decision model.

By adopting the processing method for the feedback data of the target application, the data can be processed in the trusted execution environment with higher security level, so that the security of the feedback data of the target application is ensured; since the processing method for the feedback data of the target application according to this embodiment is for the service in which the target application has been registered, it is necessary to check step by step whether the target application registers the service, whether the initial identification information of the target application during registration is consistent with the current identification information of the current target application, and whether the initial signature information of the target application during registration is consistent with the current signature information of the current target application in the trusted execution environment, so as to further prevent the service of the target application from being maliciously tampered during transmission of the feedback data, thereby further ensuring the security of the service in which the target application is used by the user.

The third embodiment is an explanation of processing of feedback data of the application service method, and after the processing of the feedback data, the present application further provides a method for online decision-making for a target application, as shown in fig. 4, which is a flowchart of an embodiment of an online decision-making method for a target application service method according to the fourth embodiment of the present application. The method comprises the following steps.

Step S401: in a rich execution environment, obtaining feedback data of a target application, obtaining a candidate object according to the feedback data, obtaining a decision request of the target application, and judging whether the target application registers a service aiming at the decision request; and if so, judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration.

When the method of the embodiment is used to obtain the decision result, the feedback data of the target application is obtained in the rich execution environment, and the candidate object is obtained according to the feedback data.

Specifically, obtaining candidates from the feedback data may be in a manner described below.

First, a corresponding set of objects of the feedback data is obtained.

And then, obtaining screening conditions aiming at the feedback data, screening objects meeting the screening conditions in the object set, and taking the objects meeting the screening conditions as candidate objects.

Since the method of the present embodiment is a method for obtaining a decision result, while obtaining feedback data, a decision request for a target application triggering the method is also obtained at the same time.

Of course, before obtaining the feedback data, the service registration of the target application is also judged first, the judgment process is also for ensuring the security of the user data, the judgment of the embodiment is also divided into three levels, and the judgment of the three levels is the same as that of the third embodiment.

Judging whether the target application registers the service aiming at the decision request or not by the first two levels of judgment respectively; and if so, judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration. The description manner of the specific judgment has been described in detail in the third embodiment, and details are not repeated here, and refer to the description of this part in the third embodiment.

Step S402: if the current identification information of the target application is consistent with the initial identification information of the target application during registration, judging whether the current signature information of the target application is consistent with the initial signature information of the target application during registration in a trusted execution environment, if so, acquiring a decision model for acquiring a decision result according to the candidate object according to a decision request of the target application, and acquiring the decision result according to the candidate object and the decision model.

Similarly, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application is registered, it is determined in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application is registered, and similarly, for a detailed description of this portion, reference is made to the description of this portion corresponding to the third embodiment, which is not described herein again.

After the current signature information of the target application is judged to be consistent with the initial signature information when the target application is registered in the trusted execution environment, a decision model for obtaining a decision result according to the candidate object is obtained according to the decision request of the target application and the candidate object obtained before. The specific manner of obtaining the decision model may be as described below.

First, a service identifier included in the decision request is obtained. The decision request obtained in step S401 includes the service identifier of the registered service of the target application.

After the service identification is obtained, the service identification is used as an index to obtain feedback data to process a prestored decision model, and the decision model is used as a decision model for obtaining a decision result according to the candidate object. After the decision model in the third embodiment is trained, the obtained decision model is stored in the trusted execution environment with the service identifier as an index, so that in the decision process, the feedback data is obtained in the trusted execution environment only by using the service identifier as the index to process the prestored decision model.

And after the decision model is obtained, obtaining a decision result according to the candidate object and the decision model. And the obtained decision result comprises scoring each element of the candidate object according to the decision model, sorting each element according to the score, and taking the scoring and sorting result of each element as the decision result.

The online decision method of the embodiment can also be used for making a decision in a trusted execution environment with a higher security level, and the online decision of the embodiment is used for services of registered target applications, so that whether the target applications register the services needs to be checked step by step, whether the initial identification information of the registered target applications is consistent with the current identification information of the current target applications or not needs to be checked, and whether the initial signature information of the registered target applications is consistent with the current signature information of the current target applications or not needs to be checked in the trusted execution environment, so that the service of the target applications is further prevented from being maliciously tampered in the decision making process, and the safety of the users using the services of the target applications is further ensured.

Corresponding to the service registration in the second embodiment, in order to further ensure the security of the application service of the present application, the present application further provides a service cancellation method for an application, as shown in fig. 5, which is a flowchart of an embodiment of a cancellation method for an application service in the fifth embodiment of the present application. The method comprises the following steps.

Step S501: in the rich execution environment, acquiring a service logout request of the target application, judging whether the registered service exists in the target application according to the service logout request, and if so, judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration.

In this embodiment, an application service logout method is adopted, and a service logout request of a target application is first acquired, and subsequent operations are performed according to the logout request.

Similar to the third embodiment, when the logout method of the present embodiment is adopted, three levels of determination are also performed, and the following is a brief description of the three levels of determination, and the detailed description refers to the related description of the third embodiment.

As one of the ways of determining whether the target application has the registered service, all services of the target application may be obtained first, and then it may be sequentially determined whether all services of the target application have the service identifier. And if so, entering the judgment of a second layer, namely judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

And judging whether the current identification information of the target application is consistent with the initial identification information of the target application during registration or not by the second-level judgment. And when the target application is judged to meet the conditions at the first level, the judgment at the second level is entered.

Specifically, one of the ways of determining whether the current identification information of the target application is consistent with the initial identification information of the target application during registration may be, first, acquiring the identification information of the target application at a level higher than the authority level of the target application itself, and using the identification information as the current identification information of the target application; then, acquiring initial identification information when the target application is registered; and after the initial identification information and the current identification information are obtained, judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered.

Step S502: if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment, and if so, deleting the feedback data and the decision model aiming at the target application.

In step S501, if it is determined that the current identification information of the target application is consistent with the initial identification information at the time of registration of the target application, the third-level determination is performed, that is, it is determined whether the current signature information of the target application is consistent with the initial signature information at the time of registration of the target application.

In this embodiment, the current signature information is used to ensure the security of data of the service of the target application during the logout process, and also to ensure the privacy of the user using the target application, so that the current signature information of the target application needs to be obtained during the logout process. Here, the current signature information further ensures that the service of the target application uses the system of the present application safely.

In order to acquire the code segment of the target application, when acquiring the code segment and the code segment position of the target application according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. After determining a target application for acquiring the code sections, selecting at least one code section from the code of the target application as the code section of the target application. Of course, when the code segment and the code segment position of the target application are obtained, the code segment for obtaining the target application may be a program segment for randomly obtaining the target application. When a section of program of the target application is acquired, the corresponding position of the code section can be acquired. Since the code segment technology of random access applications is mature, it is not described here.

Specifically, when logging out after registering the service of the target application by using the method of this embodiment, in order to ensure that the code segment of the target application can be acquired, it is necessary to determine whether the target application has the authority to acquire the code segment before acquiring the code segment of the target application. The judgment process here is to ensure that the code segment of the target application is successfully acquired. For example, if the current target application is judged to have the permission to acquire the code segment, acquiring the code segment of the target application through the current identification information; otherwise, the code segment of the target application cannot be acquired.

After the current signature information and the initial signature information during the target application registration are obtained, whether the current signature information of the target application is consistent with the initial signature information during the target application registration is judged in the trusted execution environment. It should be noted that this determination is performed in the trusted execution environment, and the signature information acquisition is performed in the rich execution environment. In summary, in the logout process, the last judgment in the three-level judgment is executed in the trusted execution environment, so as to fully ensure that the data of the target application cannot be tampered in the logout process.

And after the three levels are verified to be in accordance with the conditions, namely the target application has the registered service, the current identification information of the target application is consistent with the registered initial identification information, and the feedback data and the decision model aiming at the target application are deleted when the current signature information of the target application is consistent with the registered initial signature information.

The logout method of the application service of the embodiment is adopted, and can also carry out logout in a trusted execution environment with higher security level, and the logout method of the application service of the embodiment is used for the service which is registered with the target application, so that whether the target application is registered with the service or not is required to be checked step by step, whether the initial identification information of the target application during registration is consistent with the current identification information of the current target application or not is required to be checked, and whether the initial signature information of the target application during registration is consistent with the current signature information of the current target application or not is checked in the trusted execution environment, so that the service of the target application is further prevented from being maliciously tampered in the logout process or before logout, and the safety of the service of the target application used by a.

In short, in the second to fifth embodiments, the application service of the present application is divided into a registration process, a data processing process, an online decision process, and a logout process, and each stage after registration is verified, so as to ensure the security of the user using the service of the target application.

Corresponding to the application service method, the application also provides an application service device. Please refer to fig. 6, which is a schematic diagram of an embodiment of an application service apparatus according to a sixth embodiment of the present application, and since the apparatus embodiment is substantially similar to the method embodiment, it is relatively simple to describe, and for related points, reference may be made to part of the description of the method embodiment, and the apparatus embodiment described below is only schematic. The application service device provided by the application comprises the following parts.

The application provides an application service device, including:

a service determining unit 601, configured to determine whether a registered service exists in the target application in a rich execution environment, if so, obtain a service request of the target application, obtain current identification information of the target application according to the service request, and obtain current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment;

and a service processing unit 602, configured to process according to the service request of the target application if the determination result is yes.

Optionally, the method further includes:

the device comprises an initial signature information acquisition unit, a service registration request acquisition unit and a signature information acquisition unit, wherein the initial signature information acquisition unit is used for acquiring a service registration request of a target application in a rich execution environment, acquiring initial identification information of the target application according to the service registration request and acquiring initial signature information of the target application through the initial identification information.

And the service identifier generating unit is used for generating the service identifier of the service to be registered according to the initial signature information and the initial identification information in a trusted execution environment.

And the identifier returning unit is used for returning the service identifier to the target application.

Optionally, the initial signature information obtaining unit is specifically configured to:

Optionally, the initial signature information obtaining unit is further configured to:

Optionally, the service identifier generating unit is specifically configured to:

Optionally, the identifier returning unit is specifically configured to:

Optionally, the registration service request includes at least one of the following information:

name information of a service to be registered in the target application;

data encryption algorithm information for the service to be registered;

Optionally, the service determination unit is specifically configured to:

obtaining information of all services of the target application;

Optionally, the service determination unit is specifically configured to:

Optionally, the service determination unit is specifically configured to: in a rich execution environment, obtaining a feedback data sample of a target application, and taking the obtained feedback data sample of the target application as a service request of the obtained target application;

the service processing unit is specifically configured to: in a trusted execution environment, training a decision model for obtaining a service decision result according to feedback data of a target application according to the feedback data sample; and taking the decision model of the obtained service decision result as a processing result.

Optionally, the system further comprises a decision unit, wherein the decision unit is specifically configured to:

Optionally, the decision unit is specifically configured to:

in the trusted execution environment, collecting feedback data of the target application to a database;

Optionally, the decision unit further includes a decryption unit, and the decryption unit is specifically configured to:

the decision unit is specifically configured to:

Optionally, the service determination unit is specifically configured to: in a rich execution environment, obtaining feedback data of a target application, and obtaining a candidate object according to the feedback data; obtaining a decision request of the target application; taking the decision request for acquiring the target application as a service request of the acquired target application;

the service processing unit is specifically configured to: in a trusted execution environment, obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and obtaining a decision result according to the candidate object and the decision model; and taking the obtained decision result as a processing result.

Optionally, the service determination unit is specifically configured to:

acquiring an object set corresponding to the feedback data;

Optionally, the service processing unit is specifically configured to:

acquiring a service identifier contained in the decision request;

Optionally, the service processing unit is specifically configured to:

and taking the scoring result and the sorting result as decision results.

The application service method of the present application can be applied to a terminal, and correspondingly, the present application also provides a terminal, please refer to fig. 7, which is a schematic diagram of a terminal in a seventh embodiment of the present application.

The terminal provided by the application comprises the following parts.

A service determining unit 701, configured to determine whether a registered service exists in a rich execution environment in the terminal, if so, obtain a service request of a target application, obtain current identification information of the target application according to the service request, and obtain current signature information of the target application through the current identification information; judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered; if the current identification information of the target application is consistent with the initial identification information when the target application is registered, judging whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in a trusted execution environment in the terminal;

and a service processing unit 702, configured to, if a determination result is yes, perform processing according to the service request of the target application.

The present application further provides a system for application services, as shown in fig. 8, which is a component schematic diagram of an embodiment of a system for application services according to an eighth embodiment of the present application. The system comprises the following components: the system comprises a feedback data collector, a service manager, a terminal-side decision TA, a feedback learner, a decision maker and a data and model manager.

Wherein the feedback data collector and the service manager are located in a rich execution environment of the system. The feedback data collector is used for collecting feedback data of the target application according to the identification information of the authority layer higher than the target application, and the service manager is used for transmitting the request type of the service to the trusted execution environment according to the identification information of the authority layer higher than the target application.

The end-side decision TA, the feedback learner, the decision maker and the data and model manager are all located in a trusted execution environment. The end-side decision TA is used for calling a feedback learner, a decision maker and a data and model manager according to the request type of the service and processing the request type of the service. The request types of the service include: registration/deregistration of services, feedback data processing and online decision making. The feedback learner is to train a decision model for obtaining a service decision result from the feedback data of the target application based on the feedback data samples. And the decision maker is used for obtaining a service decision result of the feedback data aiming at the target application according to the feedback data and the decision model. The data and model manager is used for storing feedback data and decision models.

According to the system, each component is distributed in different execution environments, so that the safety of the application adopting the system in the data transmission process is guaranteed, and the data is prevented from being tampered in the data transmission process when the service of the target application is used.

Although the present application has been described with reference to the preferred embodiments, it is not intended to limit the present application, and those skilled in the art can make variations and modifications without departing from the spirit and scope of the present application, therefore, the scope of the present application should be determined by the claims that follow.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

1. Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer-readable medium does not include non-transitory computer-readable storage media (non-transitory computer readable storage media), such as modulated data signals and carrier waves.

2. As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims

1. An application service method, comprising:

2. The application service method of claim 1, further comprising:

3. The application service method of claim 2, wherein the obtaining initial identification information of the target application according to the service registration request comprises:

4. The application service method of claim 2, wherein the obtaining of the initial signature information of the target application through the initial identification information comprises:

5. The application service method of claim 4, wherein obtaining initial signature information of the target application according to the code segment and the code segment location comprises:

6. The application service method according to claim 4, wherein the obtaining of the code segment and the code segment location of the target application according to the initial identification information comprises:

7. The application service method of claim 4, further comprising:

8. The application service method of claim 2, wherein generating, in the trusted execution environment, the service identifier of the service to be registered according to the initial signature information and the initial identification information comprises:

9. The application service method of claim 2, wherein returning the service identification to the target application comprises:

10. The service method of claim 2, wherein the service registration request comprises at least one of the following information:

name information of a service to be registered in the target application;

data encryption algorithm information for the service to be registered;

11. The application service method according to claim 2 or 3, wherein the initial identification information of the target application at least comprises a unique identifier of the target application, and the unique identifier is a unique identifier of a kernel authority layer of the target application.

12. The application service method of claim 2, wherein the determining whether the target application has a registered service comprises:

obtaining information of all services of the target application;

13. The application service method of claim 1, wherein the determining whether the current identification information of the target application is consistent with the initial identification information of the target application at the time of registration comprises:

14. The application service method of claim 13, wherein the determining, in the trusted execution environment, whether the current signature information of the target application is consistent with the initial signature information of the target application at the time of registration comprises:

15. The application service method of claim 14, wherein the obtaining current signature information of the target application according to the current identification information of the target application comprises:

16. The application service method of claim 15, wherein obtaining the current signature information of the target application according to the code segment and the code segment location comprises:

17. The application service method of claim 15, wherein the obtaining of the code segment and the code segment location of the target application according to the current identification information comprises:

18. The application service method of claim 15, further comprising:

19. The application service method of claim 1, wherein the obtaining the service request of the target application comprises:

20. The application service method of claim 19, further comprising:

21. The application service method of claim 20, further comprising:

22. The application service method of claim 21, further comprising:

23. The application service method of claim 1, wherein the obtaining the service request of the target application comprises:

24. The application service method of claim 23, wherein the obtaining candidate objects according to the feedback data comprises:

acquiring an object set corresponding to the feedback data;

25. The application service method of claim 23, wherein the obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application comprises:

acquiring a service identifier contained in the decision request;

26. The application service method of claim 23, wherein obtaining a decision result according to the candidate object and the decision model comprises:

and taking the scoring result and the sorting result as decision results.

27. An application service apparatus, comprising:

28. A terminal, comprising: