CN106897611A - Secure virtual mobile applications running environment system and method and application without root authority - Google Patents
Secure virtual mobile applications running environment system and method and application without root authority Download PDFInfo
- Publication number
- CN106897611A CN106897611A CN201710122674.2A CN201710122674A CN106897611A CN 106897611 A CN106897611 A CN 106897611A CN 201710122674 A CN201710122674 A CN 201710122674A CN 106897611 A CN106897611 A CN 106897611A
- Authority
- CN
- China
- Prior art keywords
- app
- application
- target
- program
- hook
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 113
- 230000008569 process Effects 0.000 claims abstract description 47
- 238000004891 communication Methods 0.000 claims abstract description 25
- 230000003993 interaction Effects 0.000 claims abstract description 8
- 230000000694 effects Effects 0.000 claims description 24
- 239000011230 binding agent Substances 0.000 claims description 12
- 244000035744 Hura crepitans Species 0.000 claims description 9
- 239000003795 chemical substances by application Substances 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 4
- 230000007474 system interaction Effects 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 238000009434 installation Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000001965 increasing effect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of secure virtual mobile applications running environment system and method without root authority and application.User opens virtual execution environment control program, selection fortune target mobile applications;Container process loaded targets application program;Container process sets hook, and by hook method Dynamic Interception target program and communication and the interface interchange of operating system;Agency service is asked by the communication intercepted and captured and interface interchange, and proxy target program and operating system are interacted;Security module analyzes the interaction of target program and Mobile operating system, and carries out dynamic mandatory control to interaction by agency service;Log pattern records all system access times and content, is that further safety analysis provides the foundation.The present invention for it is a kind of can run directly in existing Android system in, the secure virtual environment of supporting and protect target mobile process to run, operation expense is low, is not required to obtain root authority, without changing existing Android system, with compared with highly compatible and applicability.
Description
Technical field
The invention belongs to Intelligent mobile equipment field of information security technology, and in particular to one kind is without root authority in Android
(Android) secure virtual running environment (the Virtual Execution of mobile applications (APP) operation are supported under
Environment), especially a kind of secure virtual mobile applications running environment system and method without root authority with
Using.
Background technology
Safety moving virtual execution environment of the present invention refers to one operation of mobile APP of virtualization, makes target APP
In thinking that its own runs directly in operating system, and by its a kind of abstract, system with mobile system remainder security isolation
First, virtual running environment.
With mobile phone viruses in recent years and for mobile terminal rogue program gusher formula break out, based on Intel Virtualization Technology
New type of safe realize receive much concern.By the virtualization to mobile-terminal platform and system resource, can monitor in virtual ring
In border run mobile APP inside and its interacted with the various of operating system, and by target APP and mobile system carry out safely every
From, can finally allow user operational objective APP in controllable environment, its interacting with system is controlled, prevent malicious act
Produce.
It is currently able to generally be realized by explaining with switch target programmed instruction for the Intel Virtualization Technology of mobile terminal
Virtualization.The method is high to mobile terminal performance requirement, and expense is big.Separately there is a class method by changing Android system system framework
(Framework) or provide a Java Virtual Machine changed carry out operational objective APP and security monitoring carried out to it.The method
Need modification bottom Mobile operating system and operate under System Privileges higher, such as root authority.An also class method is led to
Directly modification program codes are crossed, or by changing the entrance of target program come the operation of monitoring objective APP.Such method
Need that target APP digital signature is changed and repacked, therefore run counter to the statutory authority of APP and law wind may be faced
Danger.Additionally, more and more APP developers ensure the integrality of program by remote validation (Remote Attestation),
Prevent the illegal modifications to program.These limitations increased the lower deployment cost and operation expense of existing method, and greatly reduce
The compatibility of existing method.
The content of the invention
Goal of the invention:In order to overcome the deficiencies in the prior art, the present invention to provide a kind of peace without root authority
Complete virtual mobile applications running environment, there is provided during one kind can run directly in existing Android system, support mobile process fortune
Capable secure virtual environmental system and its method of work and application.System and method operation expense is low, it is not necessary to obtain root
Authority, without changing existing Android system, without changing target program, with compatibility higher.
Technical scheme:To achieve the above object, the present invention is adopted the following technical scheme that:
System and method of the invention are by the communication between Dynamic Interception application program and operating system, agent operation system
Unite and target program is communicated so that application program and Android operation system both sides are unaware of the presence of other side,
And both sides are carried out into security isolation, it is finally completed application program and is run in controllable virtual execution environment.
A kind of secure virtual mobile applications running environment system without root authority, including with lower module:
Container (Container) scheduler module:For operational objective application program;
Hook (Hook) method module:For intercept and capture in container process run destination application and operating system it
Between communication and interface interchange;
Service agent module:For realizing the interface between operating system and application program, and run in agent container
Destination application and operating system interact;
Daily record (Log) module:For the time of all communications and content between the operating system for recording destination application,
Safety analysis so as to after;
Security control rule module:For authorizing for control targe application program authority, the access to system resource, and behaviour
Make the communication between system;
The container process module, hook method module and service agent module are sequentially connected;Log pattern passes through and hook
Submodule connects to record the running log of target program, and safety control module is deployed in hook by the safety regulation for defining
Carry out access of the control targe program to system resource in submodule and service agent module.
Further, a series of hooks are put in the container process module transported to intercept and capture and substitute destination application
Action and behavior during row, the hook include:
Binder hooks:The system service capture that destination application is obtained and the peace that the system offer is provided again
Tall and erect system service agency gets on;
Java method hook:The Java language programmed logic inside destination application is intercepted and captured, is rewritten pregnable
(vulnerable) programmed logic, and target movement APP and Android system also have the part IPC friendships that other processes are carried out
Mutually;
ELF hooks:Intercept and capture can perform inside destination application and form (Executable and can be linked
Linkable Format) body (Native) programmed logic, and target movement APP and Android system also have other processes
The part IPC interactions for carrying out.
Further, the security control rule module includes:
Dynamic user-privilege management rule:The authority of destination application is dynamically adjusted to realize the rights management of context aware;
Programmed logic override rules:By the hook loaded in security procedure, and move with reference to programmed logic override rules
State repairs the internal flaw of destination application.
The method of the above-mentioned secure virtual mobile applications running environment without root authority, comprises the following steps:
1) user opens virtual execution environment control program, selects operational objective application program;
2) container process loaded targets application program;
3) container process sets hook, and communication by hook method Dynamic Interception target program and operating system and connects
Mouth is called;
4) agency service is by the communication intercepted and captured and interface interchange request, proxy target program and system interaction;
5) security module analysis target program and Mobile operating system interaction, and by agency service to these interact into
Mobile state control of authority;
6) log pattern records all system access times and content, and carries out further safety analysis.
Further, the system can rewrite destination application, be its one virtual running environment of setting, and
Wherein safe operation destination application;The step 2) -4) in the specific method of safe operation destination application be:
1) after container process starts, Binder hooks are set wherein, container process and the communication of system service
It is oriented in the system service agency that the system is founded;
2) interface provided by the system, user's selection target application program is started;
3) the system by Package Manager come needed for structure, running destination application
ApplicationInfo and ActivityInfo;
4) ApplicationInfo that the system will have been constructed is sent to container process, makes its bound targets application program,
This process starts the application classes of destination application;
5) container process is during bound targets application program, sets Java method hook and ELF hooks, and by journey
Sequence logic override rules are loaded;
6) the system notifies that Activity Manager start an Activity agency;
7) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target of destination application
Activity;
8) destination application in security procedure is run using the resource that system Activity Manager are created
Target Activity.
Further, the internal logic and destination application of the system observable and control targe application program and outer
The communication in portion.
The above-mentioned secure virtual mobile applications running environment without root authority, the application in sandbox environment.
The above-mentioned secure virtual mobile applications running environment without root authority, in APP running environment is encrypted
Application.
The above-mentioned secure virtual mobile applications running environment without root authority, in the control of authority of context aware
In application.
Beneficial effect:Secure virtual mobile applications running environment and method without root authority of the invention with should
With compared with prior art, having the advantage that:The present invention is to support movement during one kind can run directly in existing Android system
The secure virtual environment and its method of work of program operation, the difference of the system and method and existing mobile terminal Intel Virtualization Technology
It is that the method is a stand-alone utility, without operating under root authority, without changing existing Android system, there is provided
The controllable secure operating environment of user.
Specific beneficial effect of the invention shows as:
1st, operation program is safer:Target program is isolated operation by the system and technology with mobile system and other programs.
User is capable of the access rights of independent dynamic configuration application program, prevents malicious application from being stolen in the case of user is unwitting
Take privacy of user.This virtual environment can protect the application program that each runs at it, prevent target program by other malice journeys
Sequence steals data.The system and technology can bind some application program to certain specific mobile operational outfit or environment,
Prevent destination application from being run under the terminal or unsafe mobile environment of unauthorized.
2nd, operation expense is lower:Because the system and technology to each instruction of target mobile applications without being turned
Change and explain, greatly reduce the operation expense of this virtual environment.
3rd, compatibility is higher:Due to that need not operate under root authority, the system and the existing Android environment of technical compatibility, and
Support existing Android development environment.Mobile solution developer need not be directed to secure virtual environment secondary development, it is possible to decrease its exploitation
Cost.Existing mobile applications directly can run in this virtual execution environment, and improve target mobile applications simultaneously
Security performance.
4th, mobile terminal deployment is more convenient:Because the system and technology need not change operating system, facilitate end of the invention
End is affixed one's name to, and greatly reduces the cost disposed on mobile terminals.
Brief description of the drawings
Fig. 1 is the system assumption diagram of the system;
Fig. 2 is the flow chart of the operational objective movement APP in the system;
Fig. 3 is the structure chart that sandbox environment is realized in the system;
Fig. 4 is the schematic diagram of the mobile APP of installation and operation encryption in the present system;
Fig. 5 is the schematic diagram of the control of authority for realizing context aware in the present system;
Fig. 6 is Android system assumption diagram;
Fig. 7 is the system one instrument APP of interior operation and intercepts the display figure of advertisement;
Fig. 8 is the display figure that a game APP is run in the system and virtual geographical coordinate is provided;
Fig. 9 is a real-time communication APP while operating in the display figure that the system is inner and outer and is in communication with each other;
Figure 10 is one and obtains display figures of the private information APP in the inner and outer operation of the system.
Specific embodiment
The present invention is further described with reference to the accompanying drawings and examples.
First, system scenarios
The technical problems to be solved by the invention are to provide system and method and the application of a kind of safe operation movement APP.
System and method provides system suitability higher, without root authority or modification bottom Android system, it is possible to provide one
The mobile APP of virtual environment operation, and effectively improve the security of mobile APP.
Fig. 1 is the system assumption diagram of the system.The system consists of the following components:
1st, container process:The system needs to produce a security procedure to be used as a container by Android system
(container) operational objective movement APP is carried out.Because container process is produced by the system, the system can be entered to container process
The management and control of row full powers.Then the system needs to put a series of hooks (hook) to intercept and capture (intercept) and substitute
Target movement APP actions and behavior in the process of running, to realize the purpose of safety and virtualization.
2nd, Binder hooks:Android system provides Binder mechanism as main process communication mechanism (IPC).Under Android
Mobile APP need by Binder mechanism come with obtain Android system service.The system needs to be set in security procedure
The system service that target movement APP is obtained is captured and is directed to the Android system clothes of the system offer again by Binder hooks
Business agency gets on.
3rd, Java method hook:Under Android environment, mobile APP is realized and compiled by Java language.The system needs
Java method hook is set in security procedure to intercept and capture the programmed logic inside target movement APP, rewrites pregnable program
Logic, and target movement APP and Android system also have the part IPC interactions that other processes are carried out.
4th, ELF hooks:Mobile APP under the Android environment of part uses executable and can link form (Executable
And Linkable Format, ELF) perform the code of body (Native).The system needs to be set in security procedure
ELF hooks come intercept and capture target movement APP inside programmed logic, and target movement APP and Android system also have other processes
The IPC interactions for carrying out.
5th, system service agency:Android system provides a series of services (for example, Service Manager and Activity
Manager) and by Binder mechanism and mobile APP interact to meet mobile APP needs.System and method provides a series of
System service is acted on behalf of, and the interaction that target moves APP and Android system service is captured these system services agency to carry out
Treatment, can so meet the demand of safety and virtualization.
6th, dynamic user-privilege management rule:Android system provides a series of static rules to control to move the authority of APP.It is based on
The system realizes the virtualized environment of APP operations, and system and method carrys out dynamic and adjusts target using dynamic user-privilege management rule
The authority of APP is realizing the rights management of context aware (context aware).
7th, programmed logic override rules:Some movements APP has potential safety hazard caused by the logic flaw of inside.The system and
Method is come in dynamic restoring target movement APP by the hook that is loaded in security procedure with reference to programmed logic override rules
Portion's defect.
8th, program log:System and method can capture and record mesh by the hook loaded in security procedure
State inside the interaction of the mobile APP of mark and Android system and target movement APP.System and method can be moved to target
The program log of APP carries out further safety analysis.
For Android environment, system and method is an independent mobile APP, and need not obtain root authority
Or modification Android first floor system, therefore with compatibility higher.Based on part described above, system and method provides real
Now and provide the virtual mobile APP running environment of safety.
2nd, target moves the start-up course of APP
System and method is provided and realizes a kind of virtual environment of the mobile APP of safe operation.Under Android environment
The interface of mobile APP realize that Fig. 2 is illustrated to start in this virtual environment and a target and run movement by Activity
The flow chart of the Activity of APP.The part of other movements APP, shown in their start-up courses under the system and Fig. 2
It is similar.Specific Booting sequence is as follows:
1) for Android environment, the system is an independent APP, therefore firstly the need of startup the system;
2) system service agency is created, and allows agency in running background;
3) container process is created;
4) after container process starts, Binder hooks are set wherein, the communication of container process and system service is led
During the system service founded to the system is acted on behalf of;
5) interface provided by the system, user's selection target moves APP to start;
6) the system constructed by Package Manager target movement APP ApplicationInfo and
ActivityInfo;
7) ApplicationInfo that the system will have been constructed is sent to container process, makes its binding (bind) target
APP, this process starts the application classes that target moves APP;
8) container process sets Java method hook and ELF hooks during bound targets movement APP, and by journey
Sequence logic override rules are loaded;
9) the system notifies that Activity Manager start an Activity agency;
10) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target that target moves APP
Activity;
11) the target movement APP in security procedure is run using the resource that system Activity Manager are created
Target Activity.
Since then, target movement APP can run in the container process of the system control, and and user mutual.Because container
Under the control of the system, by the hook of system and method setting, simultaneously control targe moves APP to the system observable to process
Internal logic and target APP and outside communication.Therefore, for target movement APP, the system creates one virtually
Running environment.For mobile system, it is that the system starts and run an Activity agency, and mobile system is simultaneously
Do not know that a target APP runs under this virtual environment, so as to mobile system and target APP have been carried out into security isolation.
3rd, embodiment
1. sandbox (Sandbox) environment
The mobile APP of malice obtains invalid information by attacking mobile system.For unknown APP, sandbox provides one
The running environment isolated with the machine mobile system.If unknown APP is malice, this APP can only attack sandbox, it is impossible to attack
True mobile system.Fig. 3 shows the structure chart that sandbox environment is realized in the system and invention.What system and method was provided
Sandbox environment operates in security procedure the mobile APP of unknown true intention.This movement APP can contain malicious code.This is
System and method are all intercepted and captured the communication of this unknown APP and outside by the hook for setting.The communication that the system will can be intercepted and captured is accused
Know user, and whether point out this time extraneous communication of user this unknown APP is malice.Such unknown APP is malice, and this is maliciously
APP can only be attacked the system, and the machine bottom mobile system can't be attacked.By the prompting of the system,
User would know that malice APP information, and unloading elimination attack influence is carried out on malice APP.
2. APP running environment is encrypted
Some movements APP needs to be run under level of security mobile environment higher.If a mobile environment itself has
Potential safety hazard (a such as smart mobile phone by root), this mobile environment can be held as a hostage and attack operation movement thereon
APP.Mobile APP mounted thereto for example is leaked into attacker carries out reverse-engineering (Reverse Engineering) point
Analysis.The APP running environment of one encryption can effectively solve such attack, and provide extra security performance.Recognized by encryption
Card, keeper can control certain movement APP runs under which mobile device.Even if certain mobile environment has potential safety hazard,
This mobile environment also cannot make attack to operating in the mobile APP under encryption environment.
The system needs to provide installation and operation of two modules to assist encryption APP.1) Package Manager agencies
The installation of main treatment APP and the metamessage (Meta Information) of decryption and offer APP, for example
ApplicationInfo and ActivityInfo;2) mobile APP starting modules need offer graphical interfaces to be exchanged with user, assist
User's selection target is helped to move APP.The system also needs to a safety certification and key management module, and this module can be reused
The Keystore services that system is provided.Fig. 4 describes one schematic diagram of encryption APP of installation and operation under the system.One
The APP of encryption needs to be encrypted by system manager or APP developer, and provides digital signature and certificate.APP is encrypted when one
After downloading and being installed to the system, Package Manager agencies need to be inquired about to safety certification/key management module and true
Recognize digital signature and certificate.As digital authenticating cannot pass through, then this APP cannot continue to install.The work of mobile APP starting modules is such as
Shown in Fig. 2.After user's selection target APP, Package Manager are acted on behalf of to safety certification/key management module query key,
And decrypt target APP.As it was previously stated, Package Manager agencies need to construct ApplicationInfo and ActivityInfo
Deng metamessage, comprising the code information of decryption APP in this metamessage, and security procedure is sent to by mobile APP starting modules
Start target APP.In this way, a mobile APP of encryption can be installed and run under the system.
3. the control of authority (permission control) of context aware (context-aware)
Android is static for the control of authority of mobile APP.Under Android system, the developer of an APP needs statement
The authority of system resource is used needed for the APP of its exploitation.After this APP is installed, Android user may decide that authorize or
Person revokes certain authority of this APP.The control of authority of context aware can further improve the security of the running environment of APP.Reason
By as follows:1) control of authority of context aware is dynamic, its authority for adjusting APP come dynamic by context aware;2) scene
The control of authority of perception can automatic management, its authority that dynamic adjustment APP in ground is automated by default safety regulation;3)
Many malice APP are ceased by the authority that user authorizes to attack the mobile system of user or steal user's private ownership, scene sense
The control of authority known can effectively prevent the attack of such Malware.
Fig. 5 describes the schematic diagram of the control of authority that context aware is realized in the system and invention.The system and invention
Isolated with the machine mobile system by moving APP and operating in security procedure target.By a series of hooks, the system will
Target moves access captures of the APP to system resource.As shown in figure 5, the system is by realizing that it is right to carry out that system service is acted on behalf of
The scene of target movement APP is perceived, and dynamic control of authority is made to it.Target moves visits of the APP to system resource
Ask system service agency's capture that request will be realized by the system.The system service broker will inquire about dynamic user-privilege management rule,
And judged with reference to scene instantly.If agreeing to access of the target APP this time to system resource, the system service broker will visit
The system service under true mobile environment is asked, obtains system resource or information, and these resources or information are returned into target to enter
Journey.Target APP this visits are such as vetoed, the system service broker can directly refuse request, return to null value or according to rights management
The dummy values (dummy value) of rule setting.
4th, System Working Principle/technical background embodiment
The invention of system and method is based on the deep understanding to Android system and related development experience.Fig. 6 shows
The system assumption diagram of Android.Android develops mobile APP using Java programming languages.Therefore the mobile APP under Android needs Android
Running environment (runtime) support, executable code is converted to by Java code.Early stage Android runtime be Dalvik, after change
It is ART.Some movements APP is also required to call ontology library (such as OpenGL etc.).These APP need to use JNI combination body languages
Speech (such as C language) will call realization to ontology library.Android is realized based on Linux Kernel, and inherits Linux
For the access control (access control) of user.In Android and Linux, root user possesses the access of system highest
Authority.Some malice APP obtains root authority to make attack, therefore increasing Android system limit to system by illegal
Domestic consumer processed and third party software developer obtain system root authority.Android realizes some and enters in Linux Kernel
Cheng Tongxin (IPC) module, including Binder modules.Android provides a series of system service to mobile APP.These Androids
System service is mainly interacted by Binder with the mobile APP in Android.Important system service includes in Android:1)
Inquiry of the registration and the mobile APP of support of Service Manager centralized management other systems services to system service;2)
The installation of the mobile APP of Package Manager management, the metamessage parsing of APP and the inquiry to APP metamessages;3)
Activity Manager are responsible for the management of process to mobile APP, and are responsible for that the visual resources of APP are allocated and managed.
5th, experimental result
By test, the virtual execution environment without root authority proposed by the present invention can correctly run domestic and international Android
The application program of 50 before ranking in market, including wechat, QQ, Baidu map, footpath between fields footpath between fields, Youtube, Pokemon Go,
Facebook, Snapchat etc., have no effect on these application programs and are run while in Android system (outside virtual environment).
Fig. 7 shows that the existing instrument APP of Android in the market directly runs (Fig. 7 .a) and the operation (figure in the system
Sectional drawing 7.b).It is emphasized that the system (entitled Safe Box) can be intercepted and captured and dynamic authorization target APP and system
The interactive operation safety to improve target APP.In Fig. 7 .a left figures bottom, target APP is loaded and is shown an advertisement bar.
In the example of Fig. 7 .b, the system then successfully prevents target APP carrying advertisement bars.Fig. 8 shows one enhancing of Android in the market
The sectional drawing that real (Augmented Reality) game Pokemon Go run in the present system.As shown in Fig. 8 .a, the system
Support any virtual geographical coordinate of user's selection.Fig. 8 .b and Fig. 8 .c show that the Pokemon Go for running in the present system are correct
Operate on geographical coordinate selected by user.Fig. 8 .d are the thumbnail that the game running is proved inside the system.Fig. 9 shows micro-
Believe the display figure in the system internal operation.Wechat is only supported at one example of operation on a mobile device originally.But due to
The virtualization running environment that the system is realized, the APP can simultaneously run two examples, i.e., one directly on a mobile device
Operation, another virtualized environment internal operation realized in the system.As shown in figure 9, in the example of the system internal operation
Can correctly run and and outside example communication.Figure 10 shows an acquisition private information movement APP in the system
Portion and the sectional drawing of outside operation.As Figure 10 .a show, this movement APP can be obtained where the privately owned equipment I MEI of user and user
Geographical position, and show advertisement bar.As shown in Figure 10 .b, this APP run under the virtualized environment that the system is provided can only
Obtain virtual pseudo- IMEI number and geography information.As it was previously stated, the system also shields the advertisement bar that this APP shows simultaneously.Separately need
It is emphasized that in the example that Figure 10 shows, the system operates in one and is set from the different movement used in previous examples
It is standby upper.This shows the outstanding compatibility of the system.
The above is only the preferred embodiment of the present invention, it should be pointed out that:For the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (9)
1. a kind of secure virtual mobile applications running environment system without root authority, it is characterised in that:Including following
Module:
Container (Container) scheduler module:For operational objective application program;
Hook (Hook) method module:For intercepting and capturing between the destination application and operating system that are run in container process
Communication and interface interchange;
Service agent module:For realizing the interface between operating system and application program, and the mesh run in agent container
Mark application program and operating system are interacted;
Daily record (Log) module:For the time of all communications and content between the operating system for recording destination application, so as to
Safety analysis afterwards;
Security control rule module:For authorizing for control targe application program authority, the access to system resource, and operation system
Communication between system;
The container process module, hook method module and service agent module are sequentially connected;Log pattern passes through and hook mold
Block connects to record the running log of target program, and safety control module is deployed in hook mold by the safety regulation for defining
Carry out access of the control targe program to system resource in block and service agent module.
2. the secure virtual mobile applications running environment system without root authority according to claim 1, it is special
Levy and be:Put a series of hooks in the container process module to intercept and capture and substitute destination application in the process of running
Action and behavior, the hook include:
Binder hooks:The system service capture that destination application is obtained and the Android system that the system offer is provided again
System service broker get on;
Java method hook:The Java language programmed logic inside destination application is intercepted and captured, is rewritten pregnable
(vulnerable) programmed logic, and target movement APP and Android system also have the part IPC friendships that other processes are carried out
Mutually;
ELF hooks:Intercept and capture can perform inside destination application and form (Executable and Linkable can be linked
Format body (Native) programmed logic), and target movement APP and Android system also have the part that other processes are carried out
IPC is interacted.
3. the secure virtual mobile applications running environment system without root authority according to claim 1, it is special
Levy and be:The security control rule module includes:
Dynamic user-privilege management rule:The authority of destination application is dynamically adjusted to realize the rights management of context aware;
Programmed logic override rules:By the hook loaded in security procedure, and carry out dynamic repairing with reference to programmed logic override rules
The internal flaw of complicated target application program.
4. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3
The method of system, it is characterised in that:Comprise the following steps:
1) user opens virtual execution environment control program, selects operational objective application program;
2) container process loaded targets application program;
3) container process sets hook, and the communication by hook method Dynamic Interception target program and operating system and interface tune
With;
4) agency service is by the communication intercepted and captured and interface interchange request, proxy target program and system interaction;
5) interaction of security module analysis target program and Mobile operating system, and these are interacted into action by agency service
State control of authority;
6) log pattern records all system access times and content, and carries out further safety analysis.
5. the side of the secure virtual mobile applications running environment system without root authority according to claim 4
Method, it is characterised in that:The system can rewrite destination application, be that it sets a virtual running environment, and at it
Middle safe operation destination application;The step 2) -4) in the specific method of safe operation destination application be:
1) after container process starts, Binder hooks are set wherein, the communication of container process and system service is oriented to this
In the system service agency that system is founded;
2) interface provided by the system, user's selection target application program is started;
3) the system by Package Manager come the ApplicationInfo needed for structure, running destination application and
ActivityInfo;
4) ApplicationInfo that the system will have been constructed is sent to container process, makes its bound targets application program, this mistake
Journey starts the application classes of destination application;
5) container process sets Java method hook and ELF hooks, and program is patrolled during bound targets application program
Collect override rules loading;
6) the system notifies that Activity Manager start an Activity agency;
7) the system intercepts and captures the startup for acting on behalf of Activity, and notifies that container process starts the target of destination application
Activity;
8) destination application in security procedure carrys out operational objective using the resource that system Activity Manager are created
Activity。
6. the side of the secure virtual mobile applications running environment system without root authority according to claim 3
Method, it is characterised in that:The internal logic and destination application and outside of the system observable and control targe application program
Communication.
7. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3
System, the application in sandbox environment.
8. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3
System, the application in APP running environment is encrypted.
9. according to any described secure virtual mobile applications running environment system without root authority of claims 1 to 3
System, the application in the control of authority of context aware.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710122674.2A CN106897611A (en) | 2017-03-03 | 2017-03-03 | Secure virtual mobile applications running environment system and method and application without root authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710122674.2A CN106897611A (en) | 2017-03-03 | 2017-03-03 | Secure virtual mobile applications running environment system and method and application without root authority |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106897611A true CN106897611A (en) | 2017-06-27 |
Family
ID=59185467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710122674.2A Pending CN106897611A (en) | 2017-03-03 | 2017-03-03 | Secure virtual mobile applications running environment system and method and application without root authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106897611A (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107577937A (en) * | 2017-09-01 | 2018-01-12 | 深信服科技股份有限公司 | A kind of application program guard method and system |
| CN107621939A (en) * | 2017-09-18 | 2018-01-23 | 北京奇虎科技有限公司 | An application optimization method and device |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108287997A (en) * | 2018-01-10 | 2018-07-17 | 武汉斗鱼网络科技有限公司 | Host environment recognition methods, device, medium and the equipment of destination application |
| CN108563472A (en) * | 2018-04-03 | 2018-09-21 | 北京奇虎科技有限公司 | Based on the service plug loading method and device for more opening application |
| CN109167782A (en) * | 2018-08-31 | 2019-01-08 | 国鼎网络空间安全技术有限公司 | Private data guard method and system based on intelligent mobile terminal |
| CN109260701A (en) * | 2018-07-10 | 2019-01-25 | 广州小鸡快跑网络科技有限公司 | A kind of conversion method and device of Android system standard incoming event |
| CN109325345A (en) * | 2018-09-21 | 2019-02-12 | 百度在线网络技术(北京)有限公司 | Method and apparatus for running third party code in sandbox environment |
| CN109344652A (en) * | 2018-10-08 | 2019-02-15 | 北京爱普安信息技术有限公司 | A kind of encryption and decryption method and system |
| CN109933443A (en) * | 2019-03-07 | 2019-06-25 | 腾讯科技(深圳)有限公司 | Inter-process communication methods, device, computer equipment and readable storage medium storing program for executing |
| CN109992351A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团贵州有限公司 | Virtual host program security control method, device, device and medium |
| CN110543789A (en) * | 2018-05-29 | 2019-12-06 | 腾讯科技(深圳)有限公司 | method and device for adapting handle and third-party application program and storage medium |
| CN110807191A (en) * | 2019-09-30 | 2020-02-18 | 奇安信科技集团股份有限公司 | Method and device for safe operation of application program |
| CN111062006A (en) * | 2018-10-17 | 2020-04-24 | 福建天泉教育科技有限公司 | Android system control method and terminal |
| EP3702949A1 (en) * | 2019-02-28 | 2020-09-02 | CrowdStrike, Inc. | Container application for android-based devices |
| CN111796909A (en) * | 2020-06-24 | 2020-10-20 | 浙江大学 | Lightweight mobile application virtualization system |
| CN111857971A (en) * | 2020-07-29 | 2020-10-30 | 福建多多云科技有限公司 | Method for running executable file under android virtual machine system and storage medium |
| CN111880987A (en) * | 2020-07-09 | 2020-11-03 | 青岛海尔科技有限公司 | Dynamic monitoring method and device of application program, storage medium and electronic device |
| CN112199151A (en) * | 2020-09-07 | 2021-01-08 | 成都安易迅科技有限公司 | Application program running method and device |
| WO2021142720A1 (en) * | 2020-01-16 | 2021-07-22 | 上海卓悠网络科技有限公司 | Method for providing sandboxed environment in android system to protect user privacy |
| CN113769410A (en) * | 2021-08-13 | 2021-12-10 | 广州虎牙科技有限公司 | Cloud game control method, system and device and computer readable storage medium |
| CN113971067A (en) * | 2020-07-24 | 2022-01-25 | 中移(苏州)软件技术有限公司 | Container running method, device, electronic device and storage medium |
| WO2022111391A1 (en) * | 2020-11-27 | 2022-06-02 | 华为技术有限公司 | Method for managing communication of untrusted application program, and related apparatus |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060021019A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for federated provisioning |
| CN102365878A (en) * | 2009-01-28 | 2012-02-29 | 海德沃特合作I有限公司 | Adaptive ambient services |
| CN104462879A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Root-free running control method and device of application program |
| WO2016069158A1 (en) * | 2014-10-26 | 2016-05-06 | Mcafee, Inc. | Security orchestration framework |
| CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
-
2017
- 2017-03-03 CN CN201710122674.2A patent/CN106897611A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060021019A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for federated provisioning |
| CN102365878A (en) * | 2009-01-28 | 2012-02-29 | 海德沃特合作I有限公司 | Adaptive ambient services |
| WO2016069158A1 (en) * | 2014-10-26 | 2016-05-06 | Mcafee, Inc. | Security orchestration framework |
| CN104462879A (en) * | 2014-11-28 | 2015-03-25 | 北京奇虎科技有限公司 | Root-free running control method and device of application program |
| CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
Cited By (36)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107577937B (en) * | 2017-09-01 | 2021-05-04 | 深信服科技股份有限公司 | Application program protection method and system |
| CN107577937A (en) * | 2017-09-01 | 2018-01-12 | 深信服科技股份有限公司 | A kind of application program guard method and system |
| CN107621939A (en) * | 2017-09-18 | 2018-01-23 | 北京奇虎科技有限公司 | An application optimization method and device |
| CN107621939B (en) * | 2017-09-18 | 2021-01-29 | 北京奇虎科技有限公司 | Application optimization method and device |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN109992351A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团贵州有限公司 | Virtual host program security control method, device, device and medium |
| CN108287997A (en) * | 2018-01-10 | 2018-07-17 | 武汉斗鱼网络科技有限公司 | Host environment recognition methods, device, medium and the equipment of destination application |
| CN108287997B (en) * | 2018-01-10 | 2020-07-31 | 武汉斗鱼网络科技有限公司 | Host environment identification method, device, medium and device for target application |
| CN108563472A (en) * | 2018-04-03 | 2018-09-21 | 北京奇虎科技有限公司 | Based on the service plug loading method and device for more opening application |
| CN108563472B (en) * | 2018-04-03 | 2021-07-09 | 北京奇虎科技有限公司 | Method and device for loading service plug-in based on multi-open application |
| CN110543789A (en) * | 2018-05-29 | 2019-12-06 | 腾讯科技(深圳)有限公司 | method and device for adapting handle and third-party application program and storage medium |
| CN109260701A (en) * | 2018-07-10 | 2019-01-25 | 广州小鸡快跑网络科技有限公司 | A kind of conversion method and device of Android system standard incoming event |
| CN109167782B (en) * | 2018-08-31 | 2021-10-19 | 国鼎网络空间安全技术有限公司 | Privacy data protection method and system based on intelligent mobile terminal |
| CN109167782A (en) * | 2018-08-31 | 2019-01-08 | 国鼎网络空间安全技术有限公司 | Private data guard method and system based on intelligent mobile terminal |
| CN109325345A (en) * | 2018-09-21 | 2019-02-12 | 百度在线网络技术(北京)有限公司 | Method and apparatus for running third party code in sandbox environment |
| CN109344652A (en) * | 2018-10-08 | 2019-02-15 | 北京爱普安信息技术有限公司 | A kind of encryption and decryption method and system |
| CN111062006A (en) * | 2018-10-17 | 2020-04-24 | 福建天泉教育科技有限公司 | Android system control method and terminal |
| CN111062006B (en) * | 2018-10-17 | 2023-01-10 | 福建天泉教育科技有限公司 | Android system control method and terminal |
| EP3702949A1 (en) * | 2019-02-28 | 2020-09-02 | CrowdStrike, Inc. | Container application for android-based devices |
| US11604688B2 (en) | 2019-02-28 | 2023-03-14 | Crowdstrike, Inc. | Container application for android-based devices |
| US10983849B2 (en) | 2019-02-28 | 2021-04-20 | Crowdstrike, Inc. | Container application for android-based devices |
| CN109933443B (en) * | 2019-03-07 | 2021-06-25 | 腾讯科技(深圳)有限公司 | Inter-process communication method and device, computer equipment and readable storage medium |
| CN109933443A (en) * | 2019-03-07 | 2019-06-25 | 腾讯科技(深圳)有限公司 | Inter-process communication methods, device, computer equipment and readable storage medium storing program for executing |
| CN110807191A (en) * | 2019-09-30 | 2020-02-18 | 奇安信科技集团股份有限公司 | Method and device for safe operation of application program |
| WO2021142720A1 (en) * | 2020-01-16 | 2021-07-22 | 上海卓悠网络科技有限公司 | Method for providing sandboxed environment in android system to protect user privacy |
| CN111796909B (en) * | 2020-06-24 | 2024-04-02 | 浙江大学 | Lightweight mobile application virtualization system |
| CN111796909A (en) * | 2020-06-24 | 2020-10-20 | 浙江大学 | Lightweight mobile application virtualization system |
| CN111880987A (en) * | 2020-07-09 | 2020-11-03 | 青岛海尔科技有限公司 | Dynamic monitoring method and device of application program, storage medium and electronic device |
| CN113971067A (en) * | 2020-07-24 | 2022-01-25 | 中移(苏州)软件技术有限公司 | Container running method, device, electronic device and storage medium |
| CN111857971B (en) * | 2020-07-29 | 2024-03-15 | 福建多多云科技有限公司 | Method for running executable file under android virtual machine system and storage medium |
| CN111857971A (en) * | 2020-07-29 | 2020-10-30 | 福建多多云科技有限公司 | Method for running executable file under android virtual machine system and storage medium |
| CN112199151A (en) * | 2020-09-07 | 2021-01-08 | 成都安易迅科技有限公司 | Application program running method and device |
| CN112199151B (en) * | 2020-09-07 | 2023-10-24 | 成都安易迅科技有限公司 | Application program running method and device |
| WO2022111391A1 (en) * | 2020-11-27 | 2022-06-02 | 华为技术有限公司 | Method for managing communication of untrusted application program, and related apparatus |
| CN113769410A (en) * | 2021-08-13 | 2021-12-10 | 广州虎牙科技有限公司 | Cloud game control method, system and device and computer readable storage medium |
| CN113769410B (en) * | 2021-08-13 | 2024-08-06 | 广州虎牙科技有限公司 | Cloud game control method, system, device and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106897611A (en) | Secure virtual mobile applications running environment system and method and application without root authority | |
| CN102741824B (en) | For the system and method for behavior sandboxed | |
| CN107077565B (en) | A kind of configuration method and equipment of safety instruction information | |
| CN101004776B (en) | Method and apparatus for protection domain based security | |
| CN113986459A (en) | A control method, system, electronic device and storage medium for container access | |
| CN104838630A (en) | Policy-based application management | |
| CN104641377A (en) | Data loss prevention for mobile computing devices | |
| CN105427096A (en) | Payment security sandbox realization method and system and application program monitoring method and system | |
| WO2013075412A1 (en) | Security control method and device for mobile terminal | |
| CN104246698A (en) | Computer with flexible operating system | |
| CN109690545A (en) | Automatic distribution of PLC virtual patches and security contexts | |
| CN104239814A (en) | Mobile office safety method and mobile office safety system | |
| CN104683394A (en) | Cloud computing platform database benchmark test system for new technology and method thereof | |
| DE112020000792T5 (en) | TRUSTED EXECUTION ENVIRONMENT ACCELERATED BY GRAPHICS PROCESSING UNIT | |
| CN105373734A (en) | Application data protection method and apparatus | |
| CN111209558A (en) | Internet of things equipment identity authentication method and system based on block chain | |
| CN106372496A (en) | Method and system for improving payment terminal application security | |
| CN112446029B (en) | Trusted Computing Platform | |
| CN110442422A (en) | Active response formula is credible Python virtual machine and its method of execution | |
| CN105701415A (en) | Kernel authority management system and method of mobile terminal | |
| CN104683382A (en) | Benchmark testing system for cloud computing platform database of novel innovative algorithm | |
| CN115563618A (en) | Penetration testing method and device based on central computing platform | |
| CN109067809A (en) | Authority configuring method, device, equipment and the storage medium of security component | |
| Loupos et al. | Cognition enabled IoT platform for industrial IoT safety, security and privacy—The chariot project | |
| Maña et al. | Towards secure agent computing for ubiquitous computing and ambient intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170627 |
|
| RJ01 | Rejection of invention patent application after publication |