[go: up one dir, main page]

CN111931222B - Application data encryption method, device, terminal and storage medium - Google Patents

Application data encryption method, device, terminal and storage medium Download PDF

Info

Publication number
CN111931222B
CN111931222B CN202011059756.5A CN202011059756A CN111931222B CN 111931222 B CN111931222 B CN 111931222B CN 202011059756 A CN202011059756 A CN 202011059756A CN 111931222 B CN111931222 B CN 111931222B
Authority
CN
China
Prior art keywords
data
encryption
target application
application data
byte
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011059756.5A
Other languages
Chinese (zh)
Other versions
CN111931222A (en
Inventor
林龙润
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202011059756.5A priority Critical patent/CN111931222B/en
Publication of CN111931222A publication Critical patent/CN111931222A/en
Application granted granted Critical
Publication of CN111931222B publication Critical patent/CN111931222B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses an application data encryption method, an application data encryption device, a terminal and a storage medium based on a cloud technology, wherein the method comprises the following steps: running a target application in a target environment configured by a terminal; responding to a storage instruction of target application data aiming at the target application, and acquiring an encryption input interface corresponding to the target application data; the encryption input interface is generated according to interface processing logic configured in a target environment and a kernel input interface related to target application data; calling an encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data; calling an encryption input interface to arrange ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal. Therefore, the target application data can be effectively prevented from leaking, and the safety of the target application data is improved, so that the privacy safety of a user is guaranteed.

Description

Application data encryption method, device, terminal and storage medium
Technical Field
The present application relates to the field of internet technologies, and in particular, to the field of computer technologies, and in particular, to an application data encryption method, an application data encryption apparatus, a terminal, and a computer storage medium.
Background
Currently, various Applications (APPs) are generally installed in a terminal device, such as a social application, a browser application, a multimedia playing application, and the like. Any application in the terminal generally generates a series of application data in the running process; for example, social data received by the social application during the operation process and user account data for logging in the social application; also, for example, web page data loaded by a browser application in an operating process; such as multimedia data generated by a multimedia playback application during operation, and so on. Because of the risk of leakage of the application data, how to improve the security of the application data becomes a research hotspot.
Disclosure of Invention
The embodiment of the invention provides an application data encryption method, an application data encryption device, a terminal and a storage medium, which can effectively prevent target application data from leaking and improve the security of the target application data, thereby ensuring the privacy security of a user.
In one aspect, an embodiment of the present invention provides an application data encryption method, where the method includes:
running a target application in a target environment configured by a terminal, wherein the target environment is configured with a uniform interface processing logic;
responding to a storage instruction of target application data of the target application, and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
calling the encryption input interface to arrange the ciphertexts corresponding to the data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In another aspect, an embodiment of the present invention provides an application data encryption apparatus, where the apparatus includes:
the terminal comprises an operation unit, a processing unit and a processing unit, wherein the operation unit is used for operating a target application in a target environment configured by the terminal, and the target environment is configured with uniform interface processing logic;
the processing unit is used for responding to a storage instruction of target application data aiming at the target application and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
the processing unit is further configured to call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
the processing unit is further configured to call the encryption input interface to sequentially arrange ciphertexts corresponding to the byte data to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In another aspect, an embodiment of the present invention provides a terminal, where the terminal includes an input device and an output device, and the terminal further includes:
a processor adapted to implement one or more instructions; and the number of the first and second groups,
a computer storage medium storing one or more first instructions adapted to be loaded by the processor and to perform the steps of:
running a target application in a target environment configured by a terminal, wherein the target environment is configured with a uniform interface processing logic;
responding to a storage instruction of target application data of the target application, and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In yet another aspect, an embodiment of the present invention provides a computer storage medium storing one or more first instructions, where the one or more first instructions are adapted to be loaded by a processor and execute the above-mentioned application data encryption method.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to carry out kernel byte level encryption storage on the target application data, so that the safety of the target application data can be effectively improved. Moreover, because the encryption input interface is generated according to the interface processing logic and the kernel input interface (namely the input interface at the bottommost layer in the operating system) related to the target application data, the encryption input interface is used for encrypting and storing the target application data, the complete encryption of the target application data can be ensured, and the target application data is prevented from being omitted; therefore, the encryption range is more complete, the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of the user is guaranteed. And moreover, the target application on the upper layer can not sense the encryption details of the bottom layer, so that the target application can be completely transparent and cannot sense. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a block diagram of an operating system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an application data encryption method according to an embodiment of the present invention;
FIG. 3a is a schematic interface diagram of an environment APP provided by the embodiment of the present invention;
fig. 3b is a schematic diagram of uploading a custom list according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating an application data encryption method according to another embodiment of the present invention;
FIG. 5a is a schematic diagram of a technical framework provided by an embodiment of the present invention;
fig. 5b is a schematic diagram of an intercept proxy for an underlying interface according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating an application data encryption method according to another embodiment of the present invention;
fig. 7 is a flowchart illustrating an application data encryption method according to another embodiment of the present invention;
FIG. 8a is a schematic interface diagram of a data display according to an embodiment of the present invention;
FIG. 8b is a schematic interface diagram of a data display according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an application data encryption apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
In the embodiment of the invention, the terminal refers to any equipment with an operating system installed inside; such as, without limitation, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart watch, and the like. Among them, the Operating System (OS) is a computer program for managing and controlling hardware and software resources of a computer, which may include but is not limited to: windows operating system (Windows operating system), Linux operating system, Android operating system (Android system), and the like. Referring to fig. 1, the operating system can be broadly divided into: the terminal comprises a terminal upper layer application part and a terminal bottom layer module part. In the upper application part of the terminal, n applications can be installed and run, each application can provide m services, and n and m are positive integers. Each application can generate a series of application data in the process of providing services; the application data refers to any computer data that is generated during the normal operation process and needs to be stored in the local terminal, wherein the application program (i.e. the application) is successfully installed in the operating system. For example, social data (e.g., files, pictures) received by the social application during execution; also, for example, web page data loaded by a browser application in an operating process; the multimedia data generated in the running process of the multimedia playing application; and backup file data automatically saved during the operation process of office application, etc.
In the terminal bottom module part, at least a multilayer I/O interface (i.e. Input/Output interface) and data storage hardware, etc. may be included; the I/O interface herein refers to an interface for an operating system to perform input/output of data, and is a link for exchanging information between a computer and a controlled object. Among the multiple layers of I/O interfaces, the I/O interface close to the upper application part of the terminal can be called a data I/O interface, and one data I/O interface can correspond to one service; and each data I/O interface may include: a data input interface, a data output interface, a data opening interface and other interfaces. Among the multiple layers of I/O interfaces, the lowest level of I/O interfaces may be referred to as kernel I/O interfaces (or meta I/O interfaces); and the kernel I/O interface may include: the kernel I/O interface is composed of one or more program codes (or called system functions).
Research shows that when any application in a terminal generates application data in the process of providing a certain service (such as service 1) and there is a data I/O operation for the application data, the data I/O interface corresponding to the service 1 is usually called to perform the data I/O operation on the application data. However, the data I/O interface corresponding to the service 1 generally implements the data I/O operation by further calling the lowest kernel I/O interface. It can be seen that when the data I/O interface corresponding to the calling service 1 performs the data I/O operation on the application data, it essentially calls the kernel I/O interface to perform the data I/O operation on the application data. Based on this, the embodiment of the invention provides a data management concept, which comprises the following specific concepts: if the application data can be encrypted for storage or decrypted for reading when the data I/O operation is performed on the application data, the application data can be effectively prevented from leaking, and the safety of the application data is improved. Furthermore, since the data I/O operation is essentially performed by the kernel I/O interface, in order to achieve a thorough encryption degree, the kernel I/O interface may be modified or a bottom-layer proxy I/O interface may be generated to simulate the kernel I/O interface to implement the above-mentioned encrypted storage and decrypted reading of the application data; the proxy I/O interface herein may include: an encryption input interface and a decryption output interface.
Based on the data management concept, the embodiment of the invention provides a data management scheme to better perform operation management on application data; specifically, the general principle of the data management scheme is as follows: the terminal can be configured with a target environment, which is an environment in which at least one application can run and which is configured with unified interface processing logic. Specifically, the terminal may install and run an environment APP (such as Tencent Tianshu APP) to implement configuration of the target environment, so that the terminal may generate a bottom-layer proxy I/O interface according to the indication of the interface processing logic configured in the target environment and the kernel I/O interface. When a data storage requirement/a data reading requirement exists, the terminal can perform encryption write-in protection or decryption read processing on application data corresponding to the proxied kernel I/O interface through the proxied I/O interface; the method ensures the leak-proof performance of the application data and achieves the privacy protection of sensitive or important application data. The specific implementation of generating the underlying proxy I/O interface according to the kernel I/O interface may include at least the following:
the first implementation mode comprises the following steps: the kernel I/O interface may be modified to generate a proxy I/O interface as directed by the interface processing logic. Specifically, the terminal in this embodiment may intercept the kernel I/O interface through the Hook technology, and modify the program code in the kernel I/O interface to generate the proxy I/O interface, so that the kernel I/O interface may be subsequently proxied by using the proxy I/O interface. Wherein, Hook technology can be called Hook function; it refers to a technique of capturing a function call message by a specific program before a system function (i.e., program code) in an I/O interface is called, thereby obtaining a function control right in advance, and processing (changing) an execution behavior of the system function (i.e., program code) and message passing. That is, this embodiment may implement the intercept proxy through the Hook technology for the underlying relevant I/O interface (i.e., kernel I/O interface) of the operating system of the terminal, so as to obtain the operation management capability for the application data generated by each application running on the operating system. For convenience of illustration, the core I/O interface mentioned in the following is an underlying I/O interface of the Linux system, that is, the example of proxying the underlying I/O interface of the Linux system is described.
The second embodiment: according to the instruction of the interface processing logic, the operating system of the imitation terminal implements a simplified virtual system, and the bottom layer I/O interface of the virtual system is customized and modified according to the kernel I/O interface in the operating system, so as to generate the proxy I/O interface. That is, this embodiment can generate a proxy I/O interface by forging the entire operating system, so as to realize the encrypted storage and decrypted reading effect of the application data subsequently; therefore, system characteristics of different operating systems do not need to be considered in a compatible mode, and the encryption performance is effectively improved.
Based on the above description, it can be seen that the data management scheme mentioned in the embodiment of the present invention may have the following advantages: the encryption storage/decryption reading of the application data is realized through the agent I/O interface, and the safety of the application data can be effectively improved. Furthermore, because the agent I/O interface is generated by changing a program code in the kernel I/O interface or imitating the kernel I/O interface, special requirements on hardware and modification and requirements on the application are not needed, and the realization cost is low; moreover, the processing is carried out through the unified interface processing logic, so that the unification of the processing modes can be realized, the coupling with the services of all applications is not needed, the realization modes are flexible and controllable, the encryption range is complete, the encryption degree is thorough, and the like.
Based on the above description, the embodiment of the present invention provides an application data encryption method; the application data encryption method may be performed by the terminal mentioned above or by an environment APP (such as Tencent Tianshu APP) running in the terminal, and for convenience of illustration, the application data encryption method performed by the terminal is described as an example in the following. Referring to fig. 2, the application data encryption method may include the following steps S201 to S204:
s201, running the target application in the target environment configured by the terminal.
And the target environment is configured by installing and running the environment APP by the terminal. The target environment can be configured with uniform interface processing logic, and at least one application is installed and operated; the target application mentioned in the embodiment of the present invention refers to any application in the target environment, such as a social application, an office application, a browser application, a multimedia playing application, and the like in the target environment. Taking the target application as application 1 as an example, the principle of running the target application in the target environment is as follows: a user can open an environment APP and download and install a target application through an application download channel provided by the environment APP; after the target application is successfully installed, the application interface of the environment APP displays an application icon of the target application, as shown in fig. 3 a. Correspondingly, the user can start the target application by triggering the application icon of the target application; if the terminal detects a start instruction for the target application, the target application can be run in the target environment.
S202, responding to a storage instruction of target application data aiming at the target application, and acquiring an encryption input interface corresponding to the target application data.
In a specific implementation, the terminal may detect whether a storage instruction of target application data for the target application exists in real time, where the target application data refers to any application data related to the target application in the running process. For example, if the target application is a social application, the target application data may be social data such as files, pictures, emoticons, and the like received by the target application during the running process, or user account data related to the target application during the running process, and the like. For another example, if the target application is an office application, the target application data may be file data acquired by responding to a user saving operation in the operation process of the office application, or backup file data automatically saved by the target application in the operation process, and the like. For another example, if the target application is a browser application, the target application data may be web page data loaded by the target application in the running process, or resource data (such as files and pictures) acquired by the target application according to a resource downloading operation of a user in the running process.
And if the terminal detects the storage instruction of the target application data aiming at the target application, the terminal can respond to the storage instruction of the target application data aiming at the target application and acquire the encryption input interface corresponding to the target application data. Wherein the target application data comprises at least one byte of data; the encryption input interface is generated according to the interface processing logic and the kernel input interface related to the target application data, and the kernel input interface related to the target application data mentioned herein may include data writing code.
In one embodiment, the interface processing logic is operable to instruct: in a virtual system constructed by a simulated operating system, interface customization processing is carried out according to a data encryption code and a data writing code so as to generate an encryption input interface corresponding to target application data; that is, in this embodiment, the encrypted input interface is a virtual interface that is generated by emulating the lowest level kernel input interface in the operating system.
In yet another embodiment, the interface processing logic is operable to instruct: intercepting a kernel input interface related to target application data in an operating system, and adding a data encryption code in the kernel input interface to obtain an encryption input interface corresponding to the target application data; that is, in this embodiment, the encrypted input interface is an interface obtained by intercepting a kernel input interface at the lowest layer in the operating system and modifying the kernel input interface. In particular, the interface processing logic may be configured to indicate: intercepting an execution logic entrance of a kernel input interface related to the target application data, and injecting a data encryption code at the execution logic entrance to obtain an encryption input interface corresponding to the target application data. The execution logic entry mentioned herein refers to the data writing code included in the kernel input interface.
The encryption input interface corresponding to the target application data may be generated in advance, or may be generated in real time after a storage instruction for the target application data of the target application is detected, which is not limited to this. In addition, regardless of the encryption input interface generated according to the instruction of any interface processing logic, the encryption input interface needs to satisfy the following conditions: the execution order of the data encryption code precedes the execution order of the data writing code. It should be noted that the encryption input interface may include other program codes, such as an engagement transition code for engaging the data encryption code and the data writing code so that the encryption input interface can be normally used, in addition to the data encryption code and the data writing code mentioned above.
S203, calling an encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data.
The kernel byte level encryption processing refers to: and calling an encryption input interface at the bottom layer to encrypt each byte of data by adopting an encryption algorithm corresponding to each byte of data in the application data. And, the encryption algorithm corresponding to any byte of data in the target application data may include, but is not limited to: symmetric encryption algorithms, asymmetric encryption algorithms, and hash algorithms, among others. By symmetric encryption algorithm is meant an encryption algorithm that uses the same key for encryption and decryption, which may include, but is not limited to: DES (Data Encryption Standard), RC5 (a variable parameter block cipher algorithm), AES (Advanced Encryption Standard), and the like. Asymmetric encryption algorithms refer to encryption algorithms that use different keys for encryption and decryption, which may include, but are not limited to: RSA (RSA algorithm), ECC (elliptic cryptography algorithm), and the like. The hash algorithm refers to an algorithm for obtaining a hash value by performing a hash operation on data, and may include, but is not limited to: MD4 (a cryptographic Hash function), MD5 (a cryptographic Hash function), SHA (Secure Hash Algorithm), and the like.
In a specific implementation, the terminal may directly call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data, so as to obtain a ciphertext corresponding to each byte data. Under this specific implementation, the specific implementation of step S203 may be: firstly, an encryption input interface can be called to obtain an encryption algorithm corresponding to each byte data in the target application data. Specifically, an encryption algorithm can be randomly selected for each byte of data; alternatively, an encryption algorithm may be selected for each byte of data based on the byte priority of each byte of data based on the principle that the byte priority is proportional to the encryption performance of the encryption algorithm. Then, the encryption algorithm corresponding to each byte data can be respectively adopted to carry out kernel byte level encryption processing on the corresponding byte data, and the ciphertext corresponding to each byte data is obtained. Specifically, taking any byte data in the target application data as an example, a specific implementation manner of performing kernel byte level encryption processing on the any byte data may be:
and if the encryption algorithm corresponding to any byte of data is a hash algorithm, performing hash operation on any byte of data to obtain a ciphertext corresponding to any byte of data.
If the encryption algorithm corresponding to any byte of data is a symmetric encryption algorithm or an asymmetric encryption algorithm, a key for encryption processing can be obtained, and exclusive-or operation is performed on the key and any byte of data to obtain a ciphertext corresponding to any byte of data. The algorithm of the exclusive-or operation is as follows: if the two data subjected to the XOR operation are consistent, the XOR result is a first value (such as a value 1); otherwise, the XOR result is a second value (e.g., 0). Correspondingly, the specific implementation of performing an exclusive or operation on the key and any byte of data to obtain a ciphertext corresponding to any byte of data may be: comparing whether the key is consistent with any byte data; if the data are consistent, the first numerical value is used as a ciphertext corresponding to any byte of data; and if the two data are not consistent, the second numerical value is used as a ciphertext corresponding to any byte of data.
It should be noted that, the encryption algorithm corresponding to each byte of data is the same or different, and this is not limited. When different encryption algorithms are adopted to carry out kernel byte level encryption on each byte data, the data encryption effect can be further enhanced.
In another specific implementation, the management and control efficiency and flexibility of encryption protection of the target application data can be further improved, so that the leakage-proof protection effect of the target application data is further optimized, and the encryption performance is improved. The target terminal may further perform step S203 by combining a Cloud-defined encryption regulation and control policy, where the Cloud refers to a short name of a Cloud server implemented based on Cloud technology (Cloud technology); the cloud technology is a hosting technology for unifying series resources such as hardware, software, network and the like in a wide area network or a local area network to realize the calculation, storage, processing and sharing of data. In other words, the cloud technology can be understood as a generic term of a network technology, an information technology, an integration technology, a management platform technology, an application technology, and the like applied based on a cloud computing mode; the resource pool can be formed, and the resource pool can be used as required, and is flexible and convenient. In an optional implementation manner, the cloud end can preset and store an encryption regulation and control strategy according to business requirements; in another optional implementation manner, the cloud end can also use a big data analysis technology, and flexibly and dynamically adjust the establishment of the encryption regulation and control strategy and periodically issue the encryption regulation and control strategy by combining the real-time encryption requirement of the terminal and the performance change of the equipment, so that the encryption effect is further improved.
Under this specific implementation, the specific implementation of step S203 may be: whether an encryption regulation and control strategy issued by a cloud server exists in a local space is detected. If the target application data exists, calling an encryption input interface to carry out kernel byte level encryption processing on each byte data in the target application data according to an encryption regulation and control strategy; if the data encryption code does not exist, the data encryption code in the encryption input interface can be directly called to carry out kernel byte level encryption processing on each byte data in the target application data. The specific implementation manner of the step of calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control policy may include the following steps:
the first implementation mode comprises the following steps: the encryption regulation and control strategy can comprise a self-defined list; the custom list herein is used to indicate at least one application data that does not need to be encrypted. Specifically, the custom list may include at least one of: an application white list and a data white list; the application white list may include at least one application identifier (e.g., application name) of the application, and the data white list may include at least one data type (e.g., picture type, text type, etc.). When the custom list includes an application white list, the at least one application data indicated by the custom list may include: each application in the application white list identifies application data generated by the application indicated by the application; when the custom list includes a data white list, the at least one application data indicated by the custom list may include: the respective application data under the respective data type in the data white list. In a specific implementation, the custom list may be set by the user according to actual needs and uploaded to the cloud server, as shown in fig. 3 b. Therefore, a user can flexibly regulate and control the application encryption effect of the terminal through the user-defined list, specifically, the encryption range can be adjusted (encryption is performed according to the application granularity) through setting the form of the application white list, and meanwhile, the encryption degree can be adjusted (encryption is performed according to the file granularity) through setting the form of the data white list. Therefore, the regulation and control force of the encryption regulation and control strategy can be detailed to the application level and the data content level, and the regulation and control strategy supports the regulation and the issuing at any time, so that the method is very flexible; meanwhile, the terminal does not need to be adjusted, and the regulation and control cost is low.
In this embodiment, the terminal may perform data hit matching on the target application data and at least one application data indicated by the custom list. Wherein, the data hit matching means: detecting whether the target application data belongs to a matching mode of at least one application data; correspondingly, a specific implementation manner of performing data hit matching on the target application data and at least one application data indicated by the custom list may be: when the user-defined list comprises the application white list, whether the application white list comprises the application identification of the target application can be judged; if yes, determining that the target application data hits at least one application data indicated by the custom list, namely determining that the data hit is successful; if not, determining that the target application data does not hit at least one application data indicated by the custom list, namely determining that the data hit fails. When the user-defined list comprises the data white list, whether the data white list comprises the data type of the target application data can be judged; if yes, determining that the target application data hits at least one application data indicated by the custom list, namely determining that the data hit is successful; if not, determining that the target application data does not hit at least one application data indicated by the custom list, namely determining that the data hit fails.
If the data hit matching fails, it is indicated that the target application data is not in the application data indicated by the custom list, that is, the target application data needs to be encrypted; in this case, the terminal may call the encryption input interface to perform kernel byte level encryption processing on each byte of data in the target application data. If the data hit match is successful, the target application data is indicated to be in the application data indicated by the custom list, and the target application data does not need to be encrypted; in this case, the terminal may directly store the target application data into the local space of the terminal.
The second embodiment: the encryption regulation policy may include encryption processing logic; the cryptographic processing logic herein may include at least one of: encryption field, encryption algorithm, and number of encryptions, etc. In this embodiment, the data encryption code in the encryption input interface may be adjusted according to the encryption processing logic. Specifically, when the encryption processing logic includes the encryption field, the encryption field may be directly added to the data encryption code of the encryption input interface, or the encryption field in the encryption processing logic may be used to replace the encryption field in the data encryption code of the encryption input interface, so as to implement the adjustment of the data encryption code. When the encryption processing logic includes an encryption algorithm, the encryption algorithm in the encryption processing logic may be used to replace the encryption algorithm in the data encryption code in the encryption input interface to implement the adjustment of the data encryption code. When the encryption processing logic comprises the encryption times, the encryption times in the encryption processing logic can be adopted to replace the encryption times in the data encryption codes in the encryption input interface so as to realize the adjustment of the data encryption codes.
And then calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data. The specific implementation principle of the step of "calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data" is similar to the specific implementation principle of the step of "calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data", and is not described herein again.
The third embodiment is as follows: if the encryption regulation and control strategy comprises a self-defined list and encryption processing logic; the terminal may first perform data hit matching between the target application data and at least one application data indicated by the custom list. And if the data hit match is successful, directly storing the target application data into a local space of the terminal. If the data hit matching fails, the data encryption code in the encryption input interface can be adjusted according to the encryption processing logic; and then calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data.
S204, calling an encryption input interface to arrange ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In a specific implementation, after the ciphertext corresponding to each byte data is obtained in step S203, the ciphertext corresponding to each byte may be sequentially processed according to the arrangement order of the byte data in the target application data to form the encrypted target application data. The encrypted target application data may then be stored in the local space of the terminal. In one embodiment, the terminal may determine a default storage address for the target application data from a local space of the terminal, and then may store the encrypted target application data at the default storage address. Wherein the default storage address is set by a user or determined by the terminal according to the installation path of the target application.
In another embodiment, the target application data is managed uniformly for the user; or preventing a malicious user or a malicious program from stealing the target application data through the default storage address after the malicious user or the malicious program acquires the default storage address of the target application data; the terminal can also perform relocation processing on the target application data, wherein the relocation processing refers to: and changing the storage address of the target application data. In this embodiment, the terminal may first determine a relocation address related to the target application data from a local space of the terminal, and obtain a target file at the relocation address for storing the target application data; the encrypted target application data may then be written to a target file to enable storage of the target application data. Wherein the relocation address is different from the default storage address. It should be noted that, if there is no data recorded by a history file at the relocation address that matches with the target application data (i.e. the content matching degree is greater than the threshold), the target file may be a newly created blank file; if there is a history file at the relocation address, the recorded data of the history file matches the target application data, then the target file may be the history file.
It should be noted that, if the terminal does not generate the encryption input interface in advance, or fails to generate the encryption input interface in real time, the terminal fails to acquire the encryption input interface through step S202. In this case, if obtaining the encrypted input interface corresponding to the target application data fails, the terminal may obtain a kernel input interface related to the target application data; and then, calling a kernel input interface to store the target application data into a local space of the terminal.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to carry out kernel byte level encryption storage on the target application data, so that the safety of the target application data can be effectively improved. Moreover, because the encryption input interface is generated according to the interface processing logic and the kernel input interface (namely the input interface at the bottommost layer in the operating system) related to the target application data, the encryption input interface is used for encrypting and storing the target application data, the complete encryption of the target application data can be ensured, and the target application data is prevented from being omitted; therefore, the encryption range is more complete, the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of the user is guaranteed. And moreover, the target application on the upper layer can not sense the encryption details of the bottom layer, so that the target application can be completely transparent and cannot sense. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
Based on the description of the application data encryption method shown in fig. 2, the embodiment of the present invention further provides a more specific application data encryption method; the application data encryption method may be performed by the terminal mentioned above or by an environment APP (such as Tencent Tianshu APP) running in the terminal, and for convenience of illustration, the application data encryption method performed by the terminal is described as an example in the following. Referring to fig. 4, the application data encryption method may include the following steps S401 to S410:
s401, running a target application in a target environment configured by the terminal, wherein the target environment is configured with a uniform interface processing logic.
S402, responding to a storage instruction of target application data aiming at the target application, and acquiring an encryption input interface corresponding to the target application data.
S403, detecting whether an encryption regulation and control strategy issued by the cloud server exists in the local space.
The encryption regulation and control strategy can comprise a user-defined list and encryption processing logic; the custom list is used for indicating at least one application data which does not need to be encrypted, and the encryption processing logic comprises at least one of the following items: an encryption field, an encryption algorithm, and an encryption count. If the terminal detects that the encryption regulation and control strategy exists in the local space, the terminal can jump to execute step S404. If the terminal detects that the encryption regulation and control strategy does not exist in the local space, the terminal can jump to execute the step S407 and then execute the steps S408-S410.
S404, if the encryption regulation and control strategy exists, performing data hit matching on at least one application data indicated by the self-defined list in the encryption regulation and control strategy and the target application data.
In a specific implementation, if the encryption regulation and control strategy exists, the user-defined list can be read from the encryption regulation and control strategy, and data hit matching is performed on at least one application data indicated by the user-defined list and the target application data. If the data hit match fails, the process may jump to step S405 and then steps S408-S410. If the data hit match is successful, step S406 may be skipped to, and the process is ended.
S405, if the data hit match fails, adjusting the data encryption code in the encryption input interface according to the encryption processing logic in the encryption regulation and control strategy; and calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data.
S406, if the data hit match is successful, determining a relocation address related to the target application data from the local space of the terminal, acquiring a target file used for storing the target application data at the relocation address, and directly writing the target application data into the target file.
And S407, if the encryption regulation and control strategy does not exist, calling a data encryption code in the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data.
S408, calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data.
S409, determining a relocation address related to the target application data from the local space of the terminal, and acquiring a target file used for storing the target application data at the relocation address.
And S410, writing the encrypted target application data into a target file.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to encrypt and store the target application data, so that the safety of the target application data can be effectively improved. Moreover, because the encryption input interface is generated according to the interface processing logic and the kernel input interface (namely the input interface at the bottommost layer in the operating system) related to the target application data, the encryption input interface is used for encrypting and storing the target application data, the complete encryption of the target application data can be ensured, and the target application data is prevented from being omitted; therefore, the encryption range is more complete, the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of the user is guaranteed. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
Based on the above description of the embodiment of the application data encryption method shown in fig. 2 and fig. 4, the embodiment of the present invention further provides a technical framework shown in fig. 5 a; the technical framework can be centralized in the terminal, so that the terminal mainly uses the technical framework and uses an encryption regulation and control strategy issued by the cloud as an auxiliary to perform operation processing such as encryption storage or decryption reading on the application data. Referring to fig. 5a, a Hook intercepting module is added to the operating system of the terminal; the terminal can proxy the kernel I/O interface at the bottommost layer of the operating system by using the Hook technology through the Hook interception module, so that Hook interception is performed on all data I/O interfaces aiming at different services in the operating system, and uniform interception processing is performed on application data generated by each application. Therefore, when encryption storage is carried out subsequently, the encryption range is complete, and all applications, all services and all application data can be effectively covered.
In a specific implementation, the general principle of the technical framework may include the following parts: first, load interception can be performed on each kernel I/O interface in the I/O function module at the lowest layer of the operating system. Second, injection operations of data processing logic may be performed for each core I/O interface, where the data processing logic may include, but is not limited to: detection logic for detecting whether an encryption regulation and control strategy exists, encryption processing logic for how to perform encryption processing, and the like. It should be noted that, in the embodiment of the present invention, the "injection operation of data processing logic to the kernel I/O interface" essentially refers to injecting a processing logic entry written according to the data processing logic into the kernel I/O interface; the processing logic entry refers to program code for changing the function of the core I/O interface, which is set according to the requirement, for example, the processing logic entry corresponding to the core input interface may include policy query code, data encryption code, etc., and the processing logic entry corresponding to the core output interface may include data decryption code, etc. Then detecting a storage instruction aiming at any application data, and inquiring an encryption regulation and control strategy after the storage instruction is detected; and performing kernel byte level encryption processing on the application data by combining the read encryption regulation and control strategy according to the interface characteristics of different I/O interfaces.
Practice shows that the technical framework provided by the embodiment of the invention can have the following advantages: firstly, because the encryption storage of the application data is realized through the I/O interface at the bottommost layer, all upper-layer applications have no perception on the encryption details at the bottom layer and do not need to make corresponding adjustment; meanwhile, the encryption processing of the bottom layer is transparent to the upper layer service, different encryption service characteristics do not need to be considered, and the method has high flexibility. Secondly, all encryption realization is realized in the bottommost layer of the system in a unified way, and the maintainability is higher. Thirdly, an encryption regulation and control strategy is issued to the terminal through the cloud end, so that the terminal can flexibly adjust encryption processing logic in an encryption I/O interface according to actual requirements when data encryption is carried out; in addition, the cloud can also issue different encryption regulation and control strategies according to different terminal service characteristics and different terminal scenes, so that the encryption flexibility is improved.
Based on the general principle of the technical framework, the terminal can perform interception and proxy on the kernel I/O interface at the bottommost layer in the operating system in advance, so that corresponding management operation can be performed on the application data through the proxy I/O interface after the interception and proxy. Specifically, when detecting that an application is started, the terminal can dynamically load a bottom layer I/O function module (i.e., an input/output module) of the operating system; the underlying I/O functional modules herein may include various core I/O interfaces, such as a core output interface, a core input interface, a core open interface, and the like. Second, a functional logic global entry for the underlying I/O functional module is obtained, which refers to program code stored in system memory. Then, the execution logic entry (or called as normal entry) of each kernel I/O interface in the I/O function module can be searched and intercepted through the functional logic general entry; the execution logic entry refers to program code included in the kernel I/O interface, for example, a normal entry of the kernel input interface may include data writing code, a normal entry of the kernel output interface may include data reading code, a normal entry of the kernel open interface may include file opening code, and so on.
Then, injecting self-defined processing logic entries at the execution logic entries of the intercepted I/O interfaces of the cores respectively; and then adding corresponding execution logic entries after the injected processing logic entries, thereby obtaining proxy I/O interfaces (such as an encryption input interface corresponding to the core input interface and a decryption output interface corresponding to the core output interface) corresponding to the core I/O interfaces. The processing logic interface corresponding to each core I/O interface may be stored in a corresponding injection point in the system memory, for example, the processing logic interface corresponding to the core I/O interface 1 shown in fig. 5b may be stored in the injection point 1 in the system memory. It should be noted that the step of "injecting a custom processing logic entry at the execution logic entry of the intercepted I/O interface of each core" mentioned above is to achieve the following purposes: when the execution sequence of the execution logic entries of each kernel I/O interface arrives, the self-defined processing logic entry is executed first, and then the logic entry is executed. Therefore, when the subsequent data storage requirement exists, kernel byte level encryption processing can be firstly realized on the application data according to the data parameters (such as a processing logic entry) of the encryption input interface through the entry injection; and then calling the execution logic entry to store and process the encrypted application data, so as to realize the I/O operation of the operating system, wherein the operation object of the I/O operation is the encrypted application data.
Intercepting a kernel I/O interface at the bottommost layer in the operating system based on the description, and generating a corresponding agent I/O interface; each agent I/O interface is injected with corresponding data processing logic, for example, the encryption input interface is injected with customized encryption processing logic and the like. Then, before obtaining the normal response of the operating system, the I/O operation request of any application data of each application may trigger the custom data processing logic (i.e., be replaced with the custom processing logic entry), and further perform kernel byte level encryption processing on the application data. Furthermore, for the encryption input interface, the injected processing logic entry can also check whether an encryption regulation and control strategy exists in the local space, and if so, a more targeted encryption mode is performed, so that the encryption efficiency and effect are improved.
Based on this, the terminal may further provide a more specific application data encryption method. Referring to fig. 6, the application data encryption method may include the following steps S601 to S609:
s601, detecting whether the target application is in a starting state;
s602, under the condition that the target application is detected to be in the starting state, the kernel input and output module of the operating system of the terminal is dynamically loaded according to the instruction of the interface processing logic. The kernel input and output module at least comprises a kernel input interface related to target application data.
S603, intercepting an execution logic entry of the kernel input interface, wherein the execution logic entry refers to data writing codes included by the kernel input interface.
S604, data encryption codes are injected at the entrance of the execution logic, and an encryption input interface corresponding to the target application data is obtained.
In a specific implementation process, the execution logic entry may be replaced by a data encryption code, and the execution logic entry is added after the data encryption code, so as to obtain an encryption input interface corresponding to the target application data. Or, the interface calling position of the execution logic entry in the kernel input interface can be determined, and the data encryption code is added to any position in the kernel input interface before the interface calling position to obtain the encryption input interface corresponding to the target application data. Or, the data encryption code can be added to any position of the kernel input interface after the interface calling position to obtain an encryption input interface corresponding to the target application data; in this case, the terminal may further add a code jump instruction at a position in the kernel input interface before the interface call position, where the code jump instruction is used to implement that the execution order of the data encryption code precedes the execution order of the data writing code. It should be understood that the embodiments of the present invention are merely exemplary to list several implementations of adding data encryption codes, and are not exhaustive.
And S605, running the target application in the target environment configured by the terminal.
S606, responding to the storage instruction of the target application data aiming at the target application, and acquiring the encryption input interface corresponding to the target application data.
And S607, calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data.
In specific implementation, whether an encryption regulation and control strategy exists in a local space can be detected; if the encryption regulation and control strategy does not exist, the data encryption code injected into the encryption input interface can be directly called to carry out kernel byte level encryption processing on each byte data in the target application data. If the encryption regulation and control strategy exists, the injected data encryption code can be called to carry out kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy. Because the embodiment of the invention carries out relevant processing on the target application data in the self-defined data encryption code, the implementation of more targeted encryption regulation and control strategies can be changed into a feasible implementation scheme; and the encryption regulation and control strategy can be flexibly adjusted, the adjustment time can be customized, and finally, when the injected data encryption code is called, the adjusted encryption regulation and control strategy is read, analyzed and adjusted. Therefore, the encryption effect and the encryption performance of the application data are further improved while the application data are encrypted, and a large service operable space is brought. After performing kernel byte level encryption processing on each byte data in the target application data through the above steps, the encrypted related data may be stuffed into an execution logic entry of the encryption input interface (i.e., data write code), and an I/O operation is performed on the processed data through the execution logic entry, which may be specifically referred to as the following step S608.
S608, calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
It should be noted that, if the obtaining of the encryption input interface fails, the kernel input interface may be directly called to perform normal I/O operation on the target application data, that is, the kernel input interface is directly called to store the target application data in the local space.
Based on the above description, the application data encryption method provided by the embodiment of the present invention may have the following beneficial effects: the method carries out unified interception agent on the IO interface at the bottom layer of the system by using the Hook technology, is completely transparent and has no perception to the encrypted application, and reduces the encryption cost (does not need to apply independent encryption processing at the application level) and the maintenance cost (does not need to consider factors such as application upgrading, application version, application state and the like). Secondly, the invention uses Hook to complete the encryption effect on the system level, and does not interfere the logic of the system and has no problem of system customization. Furthermore, any requirement on terminal hardware is not required, so that the implementation cost is low, and the subsequent maintenance of hardware adaptation problems is avoided. The invention carries out radical interception proxy on the element interface related to all encryption behaviors at the bottom layer, can ensure the complete interception of all business encryption modes applied at the upper layer, realizes the encryption of all application data running on the system, and has complete encryption range and thorough encryption degree. The encryption method can carry out targeted strategy regulation and control, and the regulation and control mode is flexible and controllable, convenient and easy to operate. By combining with cloud regulation and control strategy deployment, the scheme is flexibly issued, the effect of targeted and flexible management and control on different terminals, different environments and different service scenes is achieved, and the encryption efficiency and the encryption quality can be better improved.
Based on the above description, the terminal may further provide an application data encryption method. In the embodiment of the present invention, an example is mainly described in which the encryption input interface is a virtual interface generated by simulating a kernel input interface at the lowest layer in an operating system. Referring to fig. 7, the application data encryption method may include the following steps S701 to S707:
s701, acquiring a system file of a virtual system constructed by an operating system of a simulated terminal, wherein the system file at least comprises: data encryption code and data write code included in the kernel input interface.
S702, according to the instruction of the interface processing logic, acquiring the data encryption code and the data writing code from the system file.
And S703, performing interface customization processing according to the data encryption code and the data writing code to generate an encryption input interface corresponding to the target application data.
And S704, running the target application in the target environment configured by the terminal.
S705, responding to a storage instruction of target application data aiming at the target application, and acquiring an encryption input interface corresponding to the target application data.
S706, calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data.
S707, calling an encryption input interface to arrange ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to carry out kernel byte level encryption storage on the target application data, so that the safety of the target application data can be effectively improved. Moreover, the encryption input interface is generated by forging the whole operating system, so that when the encryption input interface is used for encrypting and storing target application data, the system characteristics of different operating systems do not need to be considered in a compatible manner, and the encryption performance is effectively improved; and the complete encryption of the target application data can be ensured, so that the encryption range is more complete and the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of a user is guaranteed. And moreover, the target application on the upper layer can not sense the encryption details of the bottom layer, so that the target application can be completely transparent and cannot sense. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
In practical application, after the terminal encrypts and stores the target application data to a local space by adopting the steps related to any one of the embodiments, if a user wants to check the target application data, the terminal can be triggered to display the data identifier of the target application data in a user interface through a series of user operations; the data identification herein may include, but is not limited to: a data name of the target application data, a message card corresponding to the target application data, and so on. For example, the targeting application is a social application and the targeting application data is social data (e.g., a file) received by the social application; the user can open a session interface of the target application, which receives the target application data, and find the display position of the target social data in the session interface; in this case, the terminal may display a data identifier (e.g., a message card) of the target application data in the session interface. Or, the user can also find the file directory where the target application data is located through the file manager of the terminal, and find the data identifier of the target application data in the file directory; in this case, the terminal may display a data identifier (e.g., a data name) of the target application data in the directory interface, and so on.
After the terminal displays the data identifier of the target application data on the user interface, the user performs a triggering operation (such as a clicking operation, a pressing operation, and the like) on the data identifier of the target application data to trigger the terminal to display the target application data. In the embodiment of the invention, in order to improve the security of the target application data, the terminal can perform security control on the display of the target application data; after the encryption operation is carried out on the application data generated by the target application running in the target environment, the user can normally view the data content of the target application data in the target environment, but cannot view the data content of the target application data outside the target environment. Based on the above, after detecting the trigger operation for the data identifier of the target application data, the terminal may detect whether the user interface is an application interface of any application running in the target environment in response to the trigger operation for the data identifier, so as to determine whether the user is in the target environment or outside the target environment to view the data content of the target application data. According to different detection results, the terminal can adopt different display logics to perform display processing, and the method specifically comprises the following steps:
if yes, the data identification is triggered in the target environment, namely the target user is shown to view the data content of the target application data in the target environment; in this case, the terminal may display the data content of the target application data according to the respective byte data in the target application data. In one specific implementation, if the target application data is stored in the local space through the kernel input interface; the terminal can first acquire a kernel output interface related to the target application data; second, the kernel output interface may be invoked to read the target application data from the local space. Then, the user interface can be switched to the data display interface, and the data content of the target application data is displayed in the data display interface according to each byte data in the target application data.
In another specific implementation, if the target application data is stored in the local space through the encryption input interface, the terminal may first obtain the decryption output interface corresponding to the target application data. Secondly, reading encrypted target application data from a local space of the terminal by using a decryption output interface; and carrying out kernel byte level decryption processing on the ciphertext corresponding to each byte data in the encrypted target application data to obtain each byte data in the target application data. The kernel byte level decryption processing means: and calling a decryption output interface at the bottom layer to decrypt the ciphertext corresponding to each byte of data respectively. Then, the user interface can be switched to the data display interface, and the data content of the target application data is displayed according to the byte data in the data display interface. The decryption output interface is generated according to the interface processing logic and the kernel output interface related to the target application data; the kernel output interface referred to herein in relation to the target application data comprises data reading code.
In one embodiment, the interface processing logic may be operable to indicate: in a virtual system constructed by a simulated operating system, interface customization processing is carried out according to a data decryption code and a data reading code so as to generate a decryption output interface corresponding to target application data; that is, in this embodiment, the decrypted output interface is a virtual interface that is generated by emulating the kernel output interface that is the lowest layer in the operating system. Accordingly, the terminal may obtain in advance a system file of a virtual system constructed by emulating an operating system of the terminal, where the system file includes at least: the data decryption code and the data reading code included in the kernel output interface. Secondly, acquiring a data decryption code and a data reading code from the system file according to the instruction of the interface processing logic; then, interface customization processing can be carried out according to the data decryption code and the data reading code so as to generate a decryption output interface corresponding to the target application data.
In yet another embodiment, the interface processing logic may be operable to instruct: intercepting a kernel output interface related to target application data in an operating system, and adding a data decryption code in the kernel output interface to obtain a decryption output interface corresponding to the target application data; that is, in this embodiment, the decryption output interface is an interface obtained by intercepting a kernel output interface at the lowest layer in the operating system and modifying the kernel output interface. In particular, the interface processing logic may be configured to indicate: intercepting an execution logic entrance of a kernel output interface related to the target application data, and injecting a data decryption code at the execution logic entrance of the kernel output interface to obtain a decryption output interface corresponding to the target application data. The execution logic entry mentioned herein refers to the data writing code included in the kernel input interface. Correspondingly, the terminal can detect whether the target application is in a starting state in advance; under the condition that the target application is detected to be in the starting state, a kernel input/output module of an operating system of the terminal is dynamically loaded according to the indication of interface processing logic; the kernel input and output module at least comprises a kernel output interface related to target application data. Then, an execution logic entry of the kernel output interface can be intercepted; and injecting a data decryption code at an execution logic entrance of the kernel output interface to obtain a decryption output interface corresponding to the target application data.
The specific implementation of injecting the data decryption code at the entry of the execution logic of the kernel output interface to obtain the decryption output interface corresponding to the target application data may include any one of the following: and determining an interface calling position of an execution logic inlet of the kernel output interface in the kernel output interface, and adding a data decryption code at any position behind the interface calling position in the kernel output interface to obtain a decryption output interface corresponding to the target application data. Or, a data decryption code may be added to any position in the kernel output interface before the interface calling position to obtain a decryption output interface corresponding to the target application data; in this case, the terminal may further add a code jump instruction to the core output interface at a position before the arrangement position of the data decryption code, where the code jump instruction is used to implement that the execution order of the data decryption code is later than the execution order of the execution logic entry of the core output interface. It should be understood that the embodiments of the present invention are merely exemplary to list several implementations of adding data decryption codes, and are not exhaustive.
It should be noted that, the decryption output interface may be generated in advance, or may be generated in real time after detecting that the data identifier of the target application data is triggered, which is not limited in this regard. And no matter which interface processing logic is instructed to generate the decryption output interface, the decryption output interface needs to satisfy the following conditions: the execution sequence of the data decryption code is later than that of the execution logic entry (i.e. the data reading code) of the kernel output interface. It should be noted that, besides the above mentioned data decryption code and the execution logic entry (i.e. data reading code) of the kernel output interface, the decryption output interface may also include other program codes, such as an engagement transition code for engaging the data decryption code with the execution logic entry (i.e. data reading code) of the kernel output interface so that the decryption output interface can be normally used, and so on. It should also be understood that the embodiment of the present invention is explained by taking the principle of reading first and then decrypting as an example; in still other embodiments, the decryption process may be performed first and then the read process is performed, so that the decryption output interface in this case needs to satisfy the following conditions: the execution sequence of the data decryption code is earlier than that of the data reading code.
If not, the data identifier is triggered outside the target environment, namely the target user is indicated to view the data content of the target application data outside the target environment; in this case, the terminal may display error information about the target application data, i.e., not display the data content of the target application data. Wherein the error information about the target application data may include at least one of: error prompt, and scrambled data obtained by scrambling the target application data, and the like. Wherein the error prompt is used for prompting that the target application data fails to be viewed.
In a specific implementation, the terminal may randomly select one or more error messages and output and display the selected error messages. Or, the terminal may select error information according to the data type of the target application data, and output and display the selected error information. For example, if the data type of the target application data is word type, the scrambled data can be selected as error information to be output and displayed, as shown in fig. 8 a. For another example, if the data type of the target application data is pdf, an error prompt may be selected as error information for output and display, as shown in fig. 8 b.
As can be seen from the above description, the terminal normally displays the data content of the target application data only if the data identification of the target application data is triggered in the target environment. If the data identification is triggered outside the target environment, error information about the target application data is displayed, i.e. the data content of the target application data is not displayed. Therefore, after the application data of the target application running in the target environment is encrypted and stored, the application data can be normally opened and displayed in the target environment but cannot be normally opened and displayed outside the target environment, the safety of the target application data can be effectively guaranteed, and the privacy safety of a user is guaranteed.
Based on the description of the above embodiment of the application data encryption method, the embodiment of the present invention also discloses an application data encryption apparatus, which may be a computer program (including a program code) running in the above mentioned terminal. The application data encryption apparatus may perform the methods shown in fig. 2, fig. 4, fig. 6, or fig. 7. Referring to fig. 9, the application data encryption apparatus may operate as follows:
an operation unit 901, configured to operate a target application in a target environment configured by a terminal, where the target environment is configured with a uniform interface processing logic;
the processing unit 902 is configured to, in response to a storage instruction of target application data for the target application, obtain an encrypted input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
the processing unit 902 is further configured to invoke the encryption input interface to perform kernel byte-level encryption processing on each byte data in the target application data, so as to obtain a ciphertext corresponding to each byte data;
the processing unit 902 is further configured to invoke the encryption input interface to sequentially arrange ciphertexts corresponding to the byte data to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In one embodiment, the processing unit 902 is further operable to:
detecting whether the target application is in a starting state;
under the condition that the target application is detected to be in the starting state, dynamically loading a kernel input/output module of an operating system of the terminal according to the indication of the interface processing logic; the kernel input and output module at least comprises a kernel input interface related to the target application data;
intercepting an execution logic entry of the kernel input interface, wherein the execution logic entry refers to data writing codes included by the kernel input interface;
and injecting a data encryption code at the entrance of the execution logic to obtain an encryption input interface corresponding to the target application data.
In yet another embodiment, the processing unit 902 is further configured to:
acquiring a system file of a virtual system constructed by imitating an operating system of the terminal, wherein the system file at least comprises: the data encryption code and the data writing code included by the kernel input interface;
acquiring the data encryption code and the data writing code from the system file according to the indication of the interface processing logic;
and performing interface customization processing according to the data encryption code and the data writing code to generate an encryption input interface corresponding to the target application data.
In another embodiment, when the processing unit 902 is configured to invoke the encryption input interface to perform kernel byte-level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data, the processing unit may be specifically configured to:
calling the encryption input interface to obtain an encryption algorithm corresponding to each byte data in the target application data, wherein the encryption algorithms corresponding to each byte data are the same or different;
and respectively adopting the encryption algorithm corresponding to each byte data to carry out kernel byte level encryption processing on the corresponding byte data to obtain the ciphertext corresponding to each byte data.
In another embodiment, the encryption algorithm corresponding to any byte data in the target application data is: a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash algorithm; correspondingly, when the processing unit 902 is configured to perform kernel byte level encryption processing on the corresponding byte data by using the encryption algorithm corresponding to each byte data to obtain the ciphertext corresponding to each byte data, the processing unit 902 may be specifically configured to:
if the encryption algorithm corresponding to any byte of data is the symmetric encryption algorithm or the asymmetric encryption algorithm, acquiring a key for encryption processing, and performing exclusive-or operation on the key and any byte of data to obtain a ciphertext corresponding to any byte of data;
and if the encryption algorithm corresponding to any byte of data is the hash algorithm, performing hash operation on any byte of data to obtain a ciphertext corresponding to any byte of data.
In yet another embodiment, the encrypted input interface includes a data encryption code; correspondingly, when the processing unit 902 is configured to call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data, the processing unit 902 may be specifically configured to:
detecting whether an encryption regulation and control strategy issued by a cloud server exists in the local space;
if the target application data exists, calling the encryption input interface to carry out kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy;
if the target application data does not exist, calling a data encryption code in the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data.
In another embodiment, the encryption regulation and control policy includes a custom list, where the custom list is used to indicate at least one application data that does not need to be encrypted; correspondingly, when the processing unit 902 is configured to call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control policy, the processing unit may be specifically configured to:
performing data hit matching on the target application data and at least one application data indicated by the custom list;
if the data hit matching fails, calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data;
and if the data hit match is successful, directly storing the target application data into a local space of the terminal.
In yet another embodiment, the encryption regulation policy includes encryption processing logic that includes at least one of: an encryption field, an encryption algorithm, and an encryption number; correspondingly, when the processing unit 902 is configured to call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control policy, the processing unit may be specifically configured to:
adjusting the data encryption code in the encryption input interface according to the encryption processing logic;
and calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data.
In another embodiment, when the processing unit 902 is configured to store the encrypted target application data in the local space of the terminal, it may specifically be configured to:
determining a relocation address for the target application data from a local space of the terminal;
acquiring a target file used for storing the target application data at the relocation address;
and writing the encrypted target application data into the target file.
In yet another embodiment, the processing unit 902 is further operable to:
if the encryption input interface corresponding to the target application data fails to be obtained, obtaining a kernel input interface related to the target application data;
and calling the kernel input interface to store the target application data to a local space of the terminal.
In yet another embodiment, the processing unit 902 is further operable to:
displaying a data identifier of target application data in a user interface of a terminal;
responding to the trigger operation aiming at the data identification, and detecting whether the user interface is an application interface of any application running in the target environment;
if so, displaying the data content of the target application data according to each byte data in the target application data; otherwise, displaying error information about the target application data.
In another embodiment, the target application data is stored in the local space through the encryption input interface; accordingly, when the processing unit 902 is configured to display the data content of the target application data according to each byte data in the target application data if the data content is the same as the byte data in the target application data, it may be configured to:
if so, acquiring a decryption output interface corresponding to the target application data; wherein the decryption output interface is generated according to the interface processing logic and a kernel output interface related to the target application data;
calling the decryption output interface to read the encrypted target application data from the local space of the terminal;
performing kernel byte level decryption processing on the ciphertext corresponding to each byte data in the encrypted target application data to obtain each byte data in the target application data;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to the byte data.
In another embodiment, the target application data is stored in the local space through the encryption input interface; accordingly, when the processing unit 902 is configured to display the data content of the target application data according to each byte data in the target application data if the data content is the same as the byte data in the target application data, it may be configured to:
if yes, acquiring a kernel output interface related to the target application data;
calling the kernel output interface to read the target application data from the local space;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to each byte data in the target application data.
In yet another embodiment, the processing unit 902 is further configured to:
detecting whether a target application is in a starting state;
under the condition that the target application is detected to be in the starting state, dynamically loading a kernel input/output module of an operating system of the terminal according to the indication of interface processing logic; the kernel input and output module at least comprises a kernel output interface related to target application data;
intercepting an execution logic entry of a kernel output interface, wherein the execution logic entry refers to data write-in codes included by a kernel input interface;
and injecting a data decryption code at an execution logic inlet of the kernel output interface to obtain a decryption output interface corresponding to the target application data.
In yet another embodiment, the processing unit 902 is further configured to:
acquiring a system file of a virtual system constructed by an operating system of a fake terminal, wherein the system file at least comprises: the data decryption code and the data reading code included by the kernel output interface;
acquiring the data decryption code and the data reading code from the system file according to the instruction of the interface processing logic;
and performing interface customization processing according to the data decryption code and the data reading code to generate a decryption output interface corresponding to the target application data.
In yet another embodiment, the kernel output interface associated with the target application data includes data reading code; the interface processing logic is to indicate: intercepting a kernel output interface related to the target application data in an operating system, and adding a data decryption code in the kernel output interface to obtain a decryption output interface corresponding to the target application data; alternatively, the interface processing logic is to instruct: in a virtual system constructed by imitating the operating system, interface customization processing is carried out according to the data decryption code and the data reading code so as to generate a decryption output interface corresponding to the target application data; wherein, the decryption output interface satisfies the following conditions: the execution sequence of the data decryption codes is later than that of the data reading codes.
In yet another embodiment, the error information includes at least one of: error prompt and messy code data after the messy code processing is carried out on the target application data; wherein the error prompt is used for prompting that the target application data fails to be viewed.
According to an embodiment of the present invention, each step involved in the method shown in fig. 2, fig. 4, fig. 6 or fig. 7 may be performed by each unit in the application data encryption apparatus shown in fig. 9. For example, step S201 shown in fig. 2 may be performed by the execution unit 901 shown in fig. 9, and steps S202 to S204 may be performed by the processing unit 902 shown in fig. 9. As another example, step S401 shown in fig. 4 may be performed by the execution unit 901 shown in fig. 9, and steps S402-S410 may be performed by the processing unit 902 shown in fig. 9. As another example, steps S601 to S604 shown in fig. 6 may be performed by the processing unit 902 shown in fig. 9, step S605 may be performed by the execution unit 901 shown in fig. 9, and steps S606 to S608 may be performed by the processing unit 902 shown in fig. 9. As another example, steps S701 to S703 shown in fig. 7 may be performed by the processing unit 902 shown in fig. 9, step S704 may be performed by the execution unit 901 shown in fig. 9, steps S705 to S707 may be performed by the processing unit 902 shown in fig. 9, and so on.
According to another embodiment of the present invention, the units in the application data encryption apparatus shown in fig. 9 may be respectively or entirely combined into one or several other units to form another unit, or some unit(s) therein may be further split into multiple units with smaller functions to form another unit, which may achieve the same operation without affecting the achievement of the technical effect of the embodiment of the present invention. The units are divided based on logic functions, and in practical application, the functions of one unit can be realized by a plurality of units, or the functions of a plurality of units can be realized by one unit. In other embodiments of the present invention, the application data encryption device may also include other units, and in practical applications, these functions may also be implemented by the assistance of other units, and may be implemented by cooperation of multiple units.
According to another embodiment of the present invention, the application data encryption apparatus device as shown in fig. 9 may be constructed by running a computer program (including program codes) capable of executing the steps involved in the respective methods as shown in fig. 2, fig. 4, fig. 6, or fig. 7 on a general-purpose computing device such as a computer including a processing element such as a Central Processing Unit (CPU), a random access storage medium (RAM), a read-only storage medium (ROM), or the like, and a storage element, and the application data encryption method of the embodiment of the present invention may be implemented. The computer program may be recorded on a computer-readable recording medium, for example, and loaded and executed in the above-described computing apparatus via the computer-readable recording medium.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to carry out kernel byte level encryption storage on the target application data, so that the safety of the target application data can be effectively improved. Moreover, because the encryption input interface is generated according to the interface processing logic and the kernel input interface (namely the input interface at the bottommost layer in the operating system) related to the target application data, the encryption input interface is used for encrypting and storing the target application data, the complete encryption of the target application data can be ensured, and the target application data is prevented from being omitted; therefore, the encryption range is more complete, the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of the user is guaranteed. And moreover, the target application on the upper layer can not sense the encryption details of the bottom layer, so that the target application can be completely transparent and cannot sense. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
Based on the description of the method embodiment and the device embodiment, the embodiment of the invention also provides a terminal. Referring to fig. 10, the terminal may include at least a processor 1001, an input device 1002, an output device 1003, and a computer storage medium 1004. The processor 1001, the input device 1002, the output device 1003, and the computer storage medium 1004 in the terminal may be connected by a bus or other means. A computer storage medium 1004 may be stored in the memory of the terminal, the computer storage medium 1004 being used for storing a computer program comprising program instructions, the processor 1001 being used for executing the program instructions stored by the computer storage medium 1004. The processor 1001 (or CPU) is a computing core and a control core of the terminal, and is adapted to implement one or more instructions, and in particular, is adapted to load and execute the one or more instructions so as to implement a corresponding method flow or a corresponding function.
In an embodiment, the processor 1001 according to the embodiment of the present invention may be configured to perform a series of application data encryption processes, and specifically includes: running a target application in a target environment configured by a terminal, wherein the target environment is configured with a uniform interface processing logic; responding to a storage instruction of target application data of the target application, and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data; calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data; calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal, and the like.
The embodiment of the invention also provides a computer storage medium (Memory), which is a Memory device in the terminal and is used for storing programs and data. It is understood that the computer storage medium herein may include a built-in storage medium in the terminal, and may also include an extended storage medium supported by the terminal. The computer storage medium provides a storage space that stores an operating system of the terminal. Also stored in this memory space are one or more instructions, which may be one or more computer programs (including program code), suitable for loading and execution by processor 1001. The computer storage medium may be a high-speed RAM memory, or may be a non-volatile memory (non-volatile memory), such as at least one disk memory; and optionally at least one computer storage medium located remotely from the processor.
In one embodiment, one or more instructions stored in a computer storage medium may be loaded and executed by processor 1001 to implement the corresponding steps of the methods described above in relation to the application data encryption method embodiments; in particular implementations, one or more instructions in the computer storage medium are loaded by the processor 1001 and perform the following steps:
running a target application in a target environment configured by a terminal, wherein the target environment is configured with a uniform interface processing logic;
responding to a storage instruction of target application data of the target application, and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
In one embodiment, the one or more instructions may also be loaded and specifically executed by processor 1001:
detecting whether the target application is in a starting state;
under the condition that the target application is detected to be in the starting state, dynamically loading a kernel input/output module of an operating system of the terminal according to the indication of the interface processing logic; the kernel input and output module at least comprises a kernel input interface related to the target application data;
intercepting an execution logic entry of the kernel input interface, wherein the execution logic entry refers to data writing codes included by the kernel input interface;
and injecting a data encryption code at the entrance of the execution logic to obtain an encryption input interface corresponding to the target application data.
In yet another embodiment, the one or more instructions may be further loaded and specifically executed by the processor 1001:
acquiring a system file of a virtual system constructed by imitating an operating system of the terminal, wherein the system file at least comprises: the data encryption code and the data writing code included by the kernel input interface;
acquiring the data encryption code and the data writing code from the system file according to the indication of the interface processing logic;
and performing interface customization processing according to the data encryption code and the data writing code to generate an encryption input interface corresponding to the target application data.
In another embodiment, when the encryption input interface is called to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data, the one or more instructions may be loaded and specifically executed by the processor 1001:
calling the encryption input interface to obtain an encryption algorithm corresponding to each byte data in the target application data, wherein the encryption algorithms corresponding to each byte data are the same or different;
and respectively adopting the encryption algorithm corresponding to each byte data to carry out kernel byte level encryption processing on the corresponding byte data to obtain the ciphertext corresponding to each byte data.
In another embodiment, the encryption algorithm corresponding to any byte data in the target application data is: a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash algorithm; correspondingly, when the encryption algorithm corresponding to each byte data is used to perform kernel byte level encryption processing on the corresponding byte data to obtain the ciphertext corresponding to each byte data, the one or more instructions may be loaded and specifically executed by the processor 1001:
if the encryption algorithm corresponding to any byte of data is the symmetric encryption algorithm or the asymmetric encryption algorithm, acquiring a key for encryption processing, and performing exclusive-or operation on the key and any byte of data to obtain a ciphertext corresponding to any byte of data;
and if the encryption algorithm corresponding to any byte of data is the hash algorithm, performing hash operation on any byte of data to obtain a ciphertext corresponding to any byte of data.
In yet another embodiment, the encrypted input interface includes a data encryption code; correspondingly, when the encryption input interface is called to perform kernel byte level encryption processing on each byte data in the target application data, the one or more instructions may be loaded and specifically executed by the processor 1001:
detecting whether an encryption regulation and control strategy issued by a cloud server exists in the local space;
if the target application data exists, calling the encryption input interface to carry out kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy;
if the target application data does not exist, calling a data encryption code in the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data.
In another embodiment, the encryption regulation and control policy includes a custom list, where the custom list is used to indicate at least one application data that does not need to be encrypted; correspondingly, when the encryption input interface is called to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control policy, the one or more instructions may be loaded and specifically executed by the processor 1001:
performing data hit matching on the target application data and at least one application data indicated by the custom list;
if the data hit matching fails, calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data;
and if the data hit match is successful, directly storing the target application data into a local space of the terminal.
In yet another embodiment, the encryption regulation policy includes encryption processing logic that includes at least one of: an encryption field, an encryption algorithm, and an encryption number; correspondingly, when the encryption input interface is called to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control policy, the one or more instructions may be loaded and specifically executed by the processor 1001:
adjusting the data encryption code in the encryption input interface according to the encryption processing logic;
and calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data.
In another embodiment, when storing the encrypted target application data in the local space of the terminal, the one or more instructions may be loaded and specifically executed by the processor 1001:
determining a relocation address for the target application data from a local space of the terminal;
acquiring a target file used for storing the target application data at the relocation address;
and writing the encrypted target application data into the target file.
In yet another embodiment, the one or more instructions may be further loaded and specifically executed by the processor 1001:
if the encryption input interface corresponding to the target application data fails to be obtained, obtaining a kernel input interface related to the target application data;
and calling the kernel input interface to store the target application data to a local space of the terminal.
In yet another embodiment, the one or more instructions may be further loaded and specifically executed by the processor 1001:
displaying a data identifier of target application data in a user interface of a terminal;
responding to the trigger operation aiming at the data identification, and detecting whether the user interface is an application interface of any application running in the target environment;
if so, displaying the data content of the target application data according to each byte data in the target application data; otherwise, displaying error information about the target application data.
In another embodiment, the target application data is stored in the local space through the encryption input interface; correspondingly, if so, when the data content of the target application data is displayed according to each byte data in the target application data, the one or more instructions may be loaded and specifically executed by the processor 1001:
if so, acquiring a decryption output interface corresponding to the target application data; the decryption output interface is generated according to the interface processing logic and a kernel output interface related to the target application data;
calling the decryption output interface to read the encrypted target application data from the local space of the terminal;
performing kernel byte level decryption processing on the ciphertext corresponding to each byte data in the encrypted target application data to obtain each byte data in the target application data;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to the byte data.
In another embodiment, the target application data is stored in the local space through the kernel input interface; correspondingly, if so, when the data content of the target application data is displayed according to each byte data in the target application data, the one or more instructions may be loaded and specifically executed by the processor 1001:
if yes, acquiring a kernel output interface related to the target application data;
calling the kernel output interface to read the target application data from the local space;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to each byte data in the target application data.
In yet another embodiment, the one or more instructions may be further loaded and specifically executed by the processor 1001:
detecting whether a target application is in a starting state;
under the condition that the target application is detected to be in the starting state, dynamically loading a kernel input/output module of an operating system of the terminal according to the indication of interface processing logic; the kernel input and output module at least comprises a kernel output interface related to target application data;
intercepting an execution logic entry of a kernel output interface, wherein the execution logic entry refers to data write-in codes included by a kernel input interface;
and injecting a data decryption code at an execution logic inlet of the kernel output interface to obtain a decryption output interface corresponding to the target application data.
In yet another embodiment, the one or more instructions may be further loaded and specifically executed by the processor 1001:
acquiring a system file of a virtual system constructed by an operating system of a fake terminal, wherein the system file at least comprises: the data decryption code and the data reading code included by the kernel output interface;
acquiring the data decryption code and the data reading code from the system file according to the instruction of the interface processing logic;
and performing interface customization processing according to the data decryption code and the data reading code to generate a decryption output interface corresponding to the target application data.
In yet another embodiment, the kernel output interface associated with the target application data includes data reading code; the interface processing logic is to indicate: intercepting a kernel output interface related to the target application data in an operating system, and adding a data decryption code in the kernel output interface to obtain a decryption output interface corresponding to the target application data; alternatively, the interface processing logic is to instruct: in a virtual system constructed by imitating the operating system, interface customization processing is carried out according to the data decryption code and the data reading code so as to generate a decryption output interface corresponding to the target application data; wherein, the decryption output interface satisfies the following conditions: the execution sequence of the data decryption codes is later than that of the data reading codes.
In yet another embodiment, the error information includes at least one of: error prompt and messy code data after the messy code processing is carried out on the target application data; wherein the error prompt is used for prompting that the target application data fails to be viewed.
The embodiment of the invention can respond to the storage instruction of the target application data of the target application running in the target environment and acquire the encryption input interface corresponding to the target application data; and the encryption input interface is called to carry out kernel byte level encryption storage on the target application data, so that the safety of the target application data can be effectively improved. Moreover, because the encryption input interface is generated according to the interface processing logic and the kernel input interface (namely the input interface at the bottommost layer in the operating system) related to the target application data, the encryption input interface is used for encrypting and storing the target application data, the complete encryption of the target application data can be ensured, and the target application data is prevented from being omitted; therefore, the encryption range is more complete, the encryption degree is more thorough, the safety and the reliability of the target application data are further improved, and the privacy safety of the user is guaranteed. And moreover, the target application on the upper layer can not sense the encryption details of the bottom layer, so that the target application can be completely transparent and cannot sense. Furthermore, because the interface processing logic is configured uniformly for the target environment, the terminal can uniformly perform storage management on each application running in the target environment based on the interface processing logic, and thus, the resource cost can be effectively saved.
It should be noted that according to an aspect of the present application, a computer program product or a computer program is also provided, and the computer program product or the computer program includes computer instructions, and the computer instructions are stored in a computer readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the methods provided in the various alternatives to the aspects of the method embodiments shown in fig. 2, 4, 6 or 7 described above.
It should be understood, however, that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention.

Claims (15)

1. An application data encryption method, comprising:
running a target application in a target environment configured by a terminal, wherein the target environment is configured with a uniform interface processing logic;
responding to a storage instruction of target application data of the target application, and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
calling the encryption input interface to arrange the ciphertexts corresponding to the byte data in sequence to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
2. The method of claim 1, wherein the method further comprises:
detecting whether the target application is in a starting state;
under the condition that the target application is detected to be in the starting state, dynamically loading a kernel input/output module of an operating system of the terminal according to the indication of the interface processing logic; the kernel input and output module at least comprises a kernel input interface related to the target application data;
intercepting an execution logic entry of the kernel input interface, wherein the execution logic entry refers to data writing codes included by the kernel input interface;
and injecting a data encryption code at the entrance of the execution logic to obtain an encryption input interface corresponding to the target application data.
3. The method of claim 1, wherein the method further comprises:
acquiring a system file of a virtual system constructed by imitating an operating system of the terminal, wherein the system file at least comprises: the data encryption code and the data writing code included by the kernel input interface;
acquiring the data encryption code and the data writing code from the system file according to the indication of the interface processing logic;
and performing interface customization processing according to the data encryption code and the data writing code to generate an encryption input interface corresponding to the target application data.
4. The method according to any one of claims 1 to 3, wherein the invoking the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data includes:
calling the encryption input interface to obtain an encryption algorithm corresponding to each byte data in the target application data, wherein the encryption algorithms corresponding to each byte data are the same or different;
and respectively adopting the encryption algorithm corresponding to each byte data to carry out kernel byte level encryption processing on the corresponding byte data to obtain the ciphertext corresponding to each byte data.
5. The method of claim 4, wherein the encryption algorithm corresponding to any byte of data in the target application data is: a symmetric encryption algorithm, an asymmetric encryption algorithm, or a hash algorithm; the performing kernel byte level encryption processing on the corresponding byte data by using the encryption algorithm corresponding to each byte data to obtain the ciphertext corresponding to each byte data includes:
if the encryption algorithm corresponding to any byte of data is the symmetric encryption algorithm or the asymmetric encryption algorithm, acquiring a key for encryption processing, and performing exclusive-or operation on the key and any byte of data to obtain a ciphertext corresponding to any byte of data;
and if the encryption algorithm corresponding to any byte of data is the hash algorithm, performing hash operation on any byte of data to obtain a ciphertext corresponding to any byte of data.
6. The method of any one of claims 1-3, wherein the encryption input interface includes data encryption code, and the invoking the encryption input interface to perform kernel byte level encryption processing on respective bytes of data in the target application data comprises:
detecting whether an encryption regulation and control strategy issued by a cloud server exists in the local space;
if the target application data exists, calling the encryption input interface to carry out kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy;
if the target application data does not exist, calling a data encryption code in the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data.
7. The method of claim 6, wherein the encryption regulation policy comprises a custom list indicating at least one application data that does not require encryption processing; the invoking the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy includes:
performing data hit matching on the target application data and at least one application data indicated by the custom list;
if the data hit matching fails, calling the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data;
and if the data hit match is successful, directly storing the target application data into a local space of the terminal.
8. The method of claim 6, wherein the encryption regulation policy comprises encryption processing logic comprising at least one of: an encryption field, an encryption algorithm, and an encryption number; the invoking the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data according to the encryption regulation and control strategy includes:
adjusting the data encryption code in the encryption input interface according to the encryption processing logic;
and calling the adjusted data encryption code to perform kernel byte level encryption processing on each byte data in the target application data.
9. The method of claim 1, wherein the storing the encrypted target application data into a local space of the terminal comprises:
determining a relocation address for the target application data from a local space of the terminal;
acquiring a target file used for storing the target application data at the relocation address;
and writing the encrypted target application data into the target file.
10. The method of claim 1, wherein the method further comprises:
if the encryption input interface corresponding to the target application data fails to be obtained, obtaining a kernel input interface related to the target application data;
and calling the kernel input interface to store the target application data to a local space of the terminal.
11. The method of claim 10, wherein the method further comprises:
displaying a data identifier of target application data in a user interface of a terminal;
responding to the trigger operation aiming at the data identification, and detecting whether the user interface is an application interface of any application running in the target environment;
if so, displaying the data content of the target application data according to each byte data in the target application data; otherwise, displaying error information about the target application data.
12. The method of claim 11, wherein the target application data is stored into the local space through the encrypted input interface; the displaying the data content of the target application data according to each byte data in the target application data includes:
acquiring a decryption output interface corresponding to the target application data; the decryption output interface is generated according to the interface processing logic and a kernel output interface related to the target application data;
calling the decryption output interface to read the encrypted target application data from the local space of the terminal;
performing kernel byte level decryption processing on the ciphertext corresponding to each byte data in the encrypted target application data to obtain each byte data in the target application data;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to the byte data.
13. The method of claim 11, wherein the target application data is stored into the local space through the kernel input interface; the displaying the data content of the target application data according to each byte data in the target application data includes:
acquiring a kernel output interface related to the target application data;
calling the kernel output interface to read the target application data from the local space;
and switching to a data display interface from the user interface, and displaying the data content of the target application data in the data display interface according to each byte data in the target application data.
14. An application data encryption apparatus, comprising:
the terminal comprises an operation unit, a processing unit and a processing unit, wherein the operation unit is used for operating a target application in a target environment configured by the terminal, and the target environment is configured with uniform interface processing logic;
the processing unit is used for responding to a storage instruction of target application data aiming at the target application and acquiring an encryption input interface corresponding to the target application data; wherein the encryption input interface is generated according to the interface processing logic and a kernel input interface related to the target application data; the target application data comprises at least one byte of data;
the processing unit is further configured to call the encryption input interface to perform kernel byte level encryption processing on each byte data in the target application data to obtain a ciphertext corresponding to each byte data;
the processing unit is further configured to call the encryption input interface to sequentially arrange ciphertexts corresponding to the byte data to form encrypted target application data; and storing the encrypted target application data into a local space of the terminal.
15. A computer storage medium having stored thereon one or more instructions adapted to be loaded by a processor and to perform the application data encryption method of any one of claims 1-13.
CN202011059756.5A 2020-09-30 2020-09-30 Application data encryption method, device, terminal and storage medium Active CN111931222B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011059756.5A CN111931222B (en) 2020-09-30 2020-09-30 Application data encryption method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011059756.5A CN111931222B (en) 2020-09-30 2020-09-30 Application data encryption method, device, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN111931222A CN111931222A (en) 2020-11-13
CN111931222B true CN111931222B (en) 2020-12-29

Family

ID=73334734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011059756.5A Active CN111931222B (en) 2020-09-30 2020-09-30 Application data encryption method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN111931222B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113656810B (en) * 2021-07-16 2024-07-12 五八同城信息技术有限公司 Application encryption method and device, electronic equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587479B (en) * 2008-06-26 2011-04-13 北京人大金仓信息技术股份有限公司 Database management system kernel oriented data encryption/decryption system and method thereof
CN103378971B (en) * 2012-04-27 2017-10-13 厦门雅迅网络股份有限公司 A kind of data encryption system and method
TWI592824B (en) * 2016-07-12 2017-07-21 優碩資訊科技股份有限公司 Data processing system capable of securing files
CN108509802B (en) * 2018-02-28 2020-01-14 郑州信大捷安信息技术股份有限公司 Application data anti-leakage method and device
CN110493265A (en) * 2019-09-18 2019-11-22 珠海格力电器股份有限公司 The method and storage medium of encryption data
CN111538995B (en) * 2020-04-26 2021-10-29 支付宝(杭州)信息技术有限公司 Data storage method and device and electronic equipment

Also Published As

Publication number Publication date
CN111931222A (en) 2020-11-13

Similar Documents

Publication Publication Date Title
US10878083B2 (en) Mobile device having trusted execution environment
CN109413043B (en) Method and device for realizing dynamic configuration of database, electronic equipment and storage medium
US9054865B2 (en) Cryptographic system and methodology for securing software cryptography
CN111917540B (en) Data encryption and decryption method and device, mobile terminal and storage medium
US10440111B2 (en) Application execution program, application execution method, and information processing terminal device that executes application
CN111274611A (en) Data desensitization method, device and computer readable storage medium
WO2020187008A1 (en) Service invocation control method, service invocation method, device, and terminal
CN109697370A (en) Database data encipher-decipher method, device, computer equipment and storage medium
CN114650154B (en) Webpage authority behavior control method and device, computer equipment and storage medium
WO2022189851A1 (en) Systems, methods, and computer-readable media for utilizing anonymous sharding techniques to protect distributed data
US11061998B2 (en) Apparatus and method for providing security and apparatus and method for executing security to protect code of shared object
CN111931222B (en) Application data encryption method, device, terminal and storage medium
CN113849558B (en) Method and device for deploying data sharing service
CN113886014A (en) Middleware loading dynamic key method, device, device and storage medium
CN118502881A (en) Key management method and system on chip
CN118606969A (en) Data volume encryption and decryption method, device, equipment, storage medium, computer program product and system
CN117150521A (en) Transparent encryption and decryption method and device for universal encryption card
CN105592033B (en) trusted service management system and method
TWI441534B (en) A method of the data transmission of the mobile phone and the system therefore
US20160063264A1 (en) Method for securing a plurality of contents in mobile environment, and a security file using the same
CN114218536B (en) Resource request method and system
CN114244573B (en) Data transmission control method, device, computer equipment and storage medium
CN115437651B (en) Application page loading method and device, storage medium and electronic equipment
CN114174990B (en) Data management method and device, electronic element and terminal equipment
CN108965573A (en) A kind of guard method of Android mixed mode mobile application internal resource and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant