[go: up one dir, main page]

WO2018171092A1 - Procédé de mise à jour d'autorisations et dispositif terminal - Google Patents

Procédé de mise à jour d'autorisations et dispositif terminal Download PDF

Info

Publication number
WO2018171092A1
WO2018171092A1 PCT/CN2017/093025 CN2017093025W WO2018171092A1 WO 2018171092 A1 WO2018171092 A1 WO 2018171092A1 CN 2017093025 W CN2017093025 W CN 2017093025W WO 2018171092 A1 WO2018171092 A1 WO 2018171092A1
Authority
WO
WIPO (PCT)
Prior art keywords
permission
terminal device
permission list
application
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/093025
Other languages
English (en)
Chinese (zh)
Inventor
黄洁静
彭峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201780028139.9A priority Critical patent/CN109076126B/zh
Publication of WO2018171092A1 publication Critical patent/WO2018171092A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Definitions

  • the embodiment of the present invention relates to the field of communications, and in particular, to a rights update method and a terminal device.
  • API Application Programming Interface
  • APK Android Package
  • the traditional certificate authorization scheme does not involve subsequent update issues. If the API permissions of the APK are changed (adding or revoking a permission), you need to package the new authorization file and reinstall the APK, or download it over the air.
  • Over-the-Air Technology OTA
  • the OTA method is equivalent to downloading and installing the APK. The update process is cumbersome. At the same time, by directly uninstalling the entire APK or directly canceling the entire certificate, the APK is affected. Continue to use, expanding the scope of the damage of the authorized APK manufacturers.
  • the embodiment of the invention provides a rights update method and a terminal device.
  • the entire APK is not processed or the entire certificate is revoked, so that the user does not need to re-download the update APK, thereby improving the user experience and reducing the conflict of interest between the user and the authorized APK manufacturer.
  • a method for updating a privilege may include: acquiring, by a terminal device, a first privilege list from a server, where the first privilege list is a privilege list after the server updates the privilege, and the server is corresponding to the application distribution service of the terminal device. server.
  • the terminal device obtains the first permission list from the server.
  • the terminal device updates the permission list of the application currently installed by the terminal device according to the first permission list, and obtains the second permission list of the terminal device, so that the terminal device controls or manages the currently installed application according to the second permission list.
  • the method adopts refined control to specifically add or disable an API permission, or implements granting or reclaiming API permissions in one time, and the user does not need to re-download the update APK, thereby improving the user experience and reducing conflicts of interest between the two parties.
  • the first privilege list is a privilege list after the privilege is updated, and the terminal device obtains the first privilege list from the server, where the terminal device sends a trigger message to the server, where the trigger message includes
  • the identification information of the terminal device where the identification information may be the device number information of the terminal device or the user account information corresponding to the terminal device, such as the user identity information such as the user's mobile phone number and the user mailbox number.
  • the identifier information is used to enable the server to determine, according to the identifier information, the application currently installed by the device, and send a response message to the terminal device, where the response message includes the first permission list.
  • the first privilege list is specifically a privilege list after the privilege is updated by the application provided by the application distribution service on the terminal device of the server service, and the terminal device obtains the first privilege list from the server, including: receiving by the terminal device The server broadcasts a system message sent, and the system message includes a first permission list.
  • the first permission list includes modified permissions for at least one application.
  • the first list of permissions includes permissions granted or revoked for at least one application.
  • the first permission list includes rights to reauthorize at least one application.
  • the terminal device updates the permission list of the currently installed application of the terminal device according to the first permission list, and obtains the second permission list of the terminal device, including: the terminal device according to the first permission list, to the terminal
  • the permission of the permission list of the currently installed application of the device is updated, and the updated permission list is the second permission list of the terminal device.
  • the method further includes: when the terminal device applies for a permission, the terminal device identifies the authorization certificate of the applied authority and the authority authorization file of the corresponding application of the permission. Legitimacy; if the authorization certificate of the authority and the authority authorization file of the corresponding application of the authority are legal, and the second permission list includes the permission of the application, the terminal device completes the application for the authority of the application.
  • a terminal device having a function of implementing the behavior of the terminal device in the actual method.
  • This function can be implemented in hardware or in hardware by executing the corresponding software.
  • the hardware or software includes one or more modules corresponding to the functions described above.
  • another terminal device which can include a receiver and a processor.
  • the receiver is configured to obtain a first permission list from the server, where the first permission list is a permission list after the server updates the authority, and the server is a server corresponding to the application distribution service of the terminal device.
  • the processor is configured to update the permission list of the currently installed application of the terminal device according to the first permission list, and generate a second permission list of the terminal device, so that the terminal device controls or manages the currently installed application according to the second permission list.
  • the terminal device includes a sender
  • the first permission list is an updated permission list of the application currently installed by the terminal device
  • the sender is configured to send a trigger message to the server, where the trigger message includes the identifier information of the terminal device.
  • the identifier information is used to enable the server to determine, according to the identifier information, the application currently installed by the terminal device, and send a response message to the terminal device, where the response message includes the first permission list.
  • the first privilege list is a privilege list for updating the privilege of the application provided by the application distribution service on the terminal device of the server service
  • the receiver is further configured to receive the system message sent by the server broadcast, where the system message includes A list of permissions.
  • the first permission list includes modified permissions for at least one application.
  • the first list of permissions includes permissions granted or revoked for at least one application.
  • the first permission list includes rights to reauthorize at least one application.
  • the terminal device is specifically configured to update, according to the first permission list, the permission of the currently installed application permission list, to obtain an updated permission list, where the updated permission list is the terminal.
  • the second permission list for the device.
  • the processor is further configured to: when the terminal device applies for a permission, identify the authorization certificate of the applied authority and the legality of the authority authorization file of the corresponding application of the permission; The authority authorization file of the corresponding application of the certificate and the authority is legal, and the second permission list includes the permission of the application, and the application for the authority of the application is completed.
  • a computer program product which, when run on a computer, causes the computer to perform the method of any of the alternative implementations described above.
  • a fifth aspect a computer readable storage medium having stored thereon a computer program, the computer program being executed to implement the method of any of the above alternative implementations.
  • FIG. 1 is a schematic structural diagram of a rights update system
  • FIG. 2 is a schematic diagram of a permission update prompt information
  • FIG. 3 is a schematic flowchart of a method for updating a rights according to an embodiment of the present disclosure
  • FIG. 4 is a schematic diagram of a scenario in which a terminal device acquires a first permission list according to an embodiment of the present disclosure
  • FIG. 5 is a schematic flowchart of a permission disabling method according to an embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a method for granting or revoking rights according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of another terminal device according to an embodiment of the present invention.
  • the authority update method of the present application can be applied to the authority update system shown in FIG. 1.
  • the system can include, but is not limited to, a server and a terminal device.
  • a server for at least one APK (such as WeChat, QQ, Tencent video, etc.) provided by an application distribution service (such as an application market, an application store, etc.) on an associated device (or service)
  • the server may be a server corresponding to the distribution service of the terminal device, or may be a server that provides a cloud service for the terminal device, or a server corresponding to the terminal device manufacturer.
  • the server may include an API token platform for managing the update of the API permissions of each APK (assuming that the API permissions have been authorized for each APK), and collecting the violations of the user feedback or the violation of the APK. , generate permission update information.
  • the API token platform may update the API permissions, including but not limited to disabling permissions, adding permissions, or reclaiming (granting or revoking) permissions and reauthorizing permissions.
  • the API permissions may include accessing location information permissions, using network interface permissions, and accessing. Address book permissions and SMS reminder permissions.
  • the API token platform can detect violations of all APKs. If the APK includes only three APKs, WeChat, QQ, and Weibo, the API token platform detects violations of WeChat, QQ, and Weibo. .
  • WeChat authorized permissions can have full Internet access, read address book permissions, recording permissions, read SMS permissions;
  • QQ authorized permissions can have access to precise location, use camera permissions, read contacts, and record Permissions and read SMS permissions;
  • Weibo authorized permissions can have access to address book permissions, use of camera permissions, text messaging permissions, access to precise location permissions.
  • WeChat obtains the user when not applying for the precise location permission. Violation of location information, QQ violation of the camera to work when not applying for camera permissions, and violations of microblogging to record users when not applying for recording permission.
  • the API token platform can disable the corresponding API permissions for WeChat, QQ, and Weibo, as shown in Table 1.
  • the authorization file corresponding to WeChat is NO.20151201XXX. After the permission is changed, the read SMS permission is disabled and the precise location permission is obtained.
  • the authorization file corresponding to Weibo is NO.20150815XXX, and the recording permission is disabled after the permission is changed; the corresponding authorization of QQ
  • the file is NO.20150109XXX, and the permission to read SMS permission is disabled after the permission is changed.
  • the scenario of the API token platform for an API privilege (such as Google's new development of a functional interface) or collective recovery of an API privilege (such as a related violation of an APK vendor, reclaiming a certain privilege of all APKs of the vendor), That is, the API token platform can adopt a scenario in which a single API authority is granted or revoked at one time.
  • an API privilege such as Google's new development of a functional interface
  • collective recovery of an API privilege such as a related violation of an APK vendor, reclaiming a certain privilege of all APKs of the vendor
  • the API license platform will only add the change network status permission to WeChat and QQ, and will prevent the mobile phone sleep right from being granted to WeChat, QQ and Weibo (ie all APKs), and will read the address book permissions to WeChat, QQ and Weibo is disabled (ie all APKs) as shown in Table 2.
  • API permissions API authorization file Corresponding APK Change network status permissions NO.20151201XXX WeChat and QQ increase this permission Prevent mobile phone sleep permissions NO.20150815XXX WeChat, QQ and Weibo grant this permission Read address book permissions NO.20150109XXX WeChat, QQ and Weibo disable this permission
  • the authorization file corresponding to changing the network status authority is NO.20151201XXX, the authority is authorized to WeChat and QQ;
  • the authorization file corresponding to the mobile phone dormancy permission is NO.20150815XXX, the authority is authorized to all APKs; read communication
  • the authorization file corresponding to the recording permission is NO.20150109XXX, and this permission is disabled by all APKs.
  • APK1 is WeChat
  • the list of permissions of WeChat before re-authorization can be: prevent the phone from sleeping, calculate the application storage space, send stubborn broadcasts, change the Wi-Fi status, retrieve the running application, read Sync settings, Bluetooth management, display system level alerts, autostart at boot time, write sync settings, read system settings, view WLAN status, full Internet access, view network status, control vibrators, use cameras, read text messages, Read contacts, write contacts, a total of 19 permissions.
  • APK2 is QQ
  • the list of permissions of QQ before re-authorization can be: prevent the phone from sleeping, disable the key lock, send the stubborn broadcast, read the system log file, retrieve the running application, read the synchronization settings, Bluetooth management, expand / Collapse status bar, display system level alerts, update UI settings, write sync settings to restart other applications, view WLAN status, full Internet access, control flash, control vibrator, 15 permissions.
  • APK3 is Weibo.
  • the list of permissions of Weibo before re-authorization can be: prevent the phone from sleeping, disable key lock, read synchronization statistics, send stubborn broadcasts, retrieve running applications, read synchronization settings, Bluetooth management. , Display system level alerts, autostart at boot time, update UI settings, reorder running applications, write sync settings, view WLAN status, full internet access, view network status, control flash, control vibrator, total 17 permissions.
  • the API token platform reauthorizes the API permissions of at least one of WeChat, QQ or Weibo.
  • the list of permissions for the reauthorized WeChat is: Calculate application storage space, send stubborn broadcasts, change Wi-Fi status, Bluetooth management, create Bluetooth connection, display system level alarms, auto start at boot time, write sync settings, read system Set, view WLAN status, full Internet access, view network status, control vibrator, use camera, read text messages, read contacts, write contacts, write text messages, a total of 18 permissions.
  • the list of permissions for re-authorized QQ is: compute application storage space, disable key locks, change Wi-Fi status, send stubborn broadcasts, read system log files, retrieve running applications, create Bluetooth connections, read sync Settings, Bluetooth management, expand/collapse status bar, display system level alerts, update UI settings, write sync settings to restart other applications, view WLAN status, full internet access, control flash, control vibrator, get coarse location permissions , a total of 18 permissions.
  • the list of permissions for re-authorized QQ is: disable key locks, read synchronization statistics, change Wi-Fi status, send stubborn broadcasts, retrieve running applications, read sync settings, Bluetooth management, create Bluetooth connections, display System level alerts, autostart at boot time, update UI settings, reorder running applications, write sync settings, view WLAN status, full internet access, view network status, control flash, control vibrator, write Contact, recording, a total of 20 permissions.
  • the API privilege of at least one of WeChat, QQ or Weibo after the re-authorization is the same as the API privilege of the corresponding re-authorization, that is, the new API privilege of WeChat, QQ or Weibo is the API privilege of the re-authorization. Precise, regardless of the reauthorization (or original) API permissions.
  • the subject of the scene (1) is an APK, that is, certain rights are granted or disabled for an APK (such as WeChat), and the subject of the scene (2) is an API, that is, for an API (such as accessing communication).
  • the permissions granted are granted to certain APKs or require certain APKs to disable this permission.
  • the subject of the scene (3) is the APK.
  • the re-authorized API will directly replace the API permissions of the original APK, that is, the scene (3) does not need to consider which permissions the APK is granted before, which can be directly Make a replacement for the API.
  • the terminal device may be any mobile or portable mobile terminal, including but not limited to a mobile phone, a mobile computer, a tablet computer, a personal digital assistant (PDA), a media player, a smart TV, and the above two or Two or more combinations, etc.
  • a mobile phone a mobile computer
  • a tablet computer a personal digital assistant (PDA)
  • PDA personal digital assistant
  • media player a smart TV
  • the terminal device may include, but is not limited to, an input unit, a rights update unit, a rights check unit, an output unit, a communication unit, a storage unit, and the like. These components communicate over one or more buses. It will be understood by those skilled in the art that the structure of the terminal device shown in the figure does not constitute a limitation of the present application. It may be a bus-shaped structure or a star structure, and may include more or less than the illustration. Parts, or combine some parts, or different parts.
  • the communication unit is configured to establish a communication channel between the terminal device and the server, so as to obtain permission update information (such as a permission update list) from the server.
  • the communication unit may include a wireless local area network (wireless LAN) module, a Bluetooth module, a baseband module, and the like, and a radio frequency (RF) circuit corresponding to the communication module.
  • the communication module is used to control communication of components in the terminal device, and can support Direct Memory Access.
  • the storage unit is configured to store the acquisition authority update information, the software program (such as a sound player, an image player, and the like) and the data (such as audio data, phone book, etc.) created according to the use of the terminal device.
  • the storage unit may include a volatile memory, such as non-volatile volatile random access memory (NVRAM), phase change random access memory (PRAM), magnetic Resistive random access memory (MRAM), etc., may also include non-volatile memory, such as at least one disk storage device, Electronically Erasable Programmable Read-Only Memory (EEPROM) , flash memory devices, such as NOR flash memory or NAND flash memory
  • NVRAM non-volatile volatile random access memory
  • PRAM phase change random access memory
  • MRAM magnetic Resistive random access memory
  • EEPROM Electronically Erasable Programmable Read-Only Memory
  • flash memory devices such as NOR flash memory or NAND flash memory
  • the privilege updating unit is configured to send the first indication information to the input unit according to the privilege of the currently installed APK of the terminal device and the acquired privilege update information, where the first indication information is used to indicate whether the input unit (such as a display screen) displays whether to apply The updated prompt information is used to complete the permission update according to the input information of the user. As shown in FIG. 2, the display screen displays whether an APK (such as XXX) has a new version updated, and when the user selects Yes, the permission update unit pairs The permissions of the APK are updated, and vice versa.
  • the input unit may be a touch panel or other human-computer interaction interface.
  • the rights update unit may further send second indication information to the output unit according to the rights of the currently installed APK and the obtained rights update information, where the second indication information is used to indicate the voice of the output unit (such as a sound output unit) Prompt whether to perform the application update prompt information, so as to complete the permission update according to the user input information.
  • the input unit may be an image output unit (such as a display panel) and a sound output unit.
  • the rights update unit may further update the rights of the currently installed APK according to the obtained rights update information.
  • the touch panel used in the above input unit can also serve as a display panel of the output unit at the same time.
  • the touch panel detects a touch or proximity gesture operation thereon, the touch panel is transmitted to the rights update unit to determine the type of the touch event, and then the rights update unit provides a corresponding visual output on the display panel according to the type of the touch event.
  • the input unit and the output unit are two independent components to implement the input and output functions of the terminal device, in some embodiments, the touch panel and the display panel may be integrated to implement the terminal device. Input and output functions.
  • the permission checking unit is configured to determine the legality of the APK's authorization certificate and determine the APK's API authorization file when the terminal device applies for an API permission (such as using the network interface authority) during the operation of the APK (such as WeChat). Legitimacy (that is, check whether the signature information of the authorization file is true). If it is legal, further query the second permission list, and confirm the API permission of the current application to determine whether the APK has the right to apply for the API permission, thereby determining whether The application for the API permission is completed, that is, the terminal device allows the APK to apply for the call only if the permission exists in the second permission list.
  • an API permission such as using the network interface authority
  • Legitimacy that is, check whether the signature information of the authorization file is true. If it is legal, further query the second permission list, and confirm the API permission of the current application to determine whether the APK has the right to apply for the API permission, thereby determining whether The application for the API permission is completed, that is, the terminal device allows the APK to apply for
  • terminal device is only an example provided by the embodiment of the present invention, and the terminal device may have more or less components than the illustrated components, may combine two or more components, or may have Different configurations of components are implemented.
  • the present application uses a more refined control to specifically disable at least one API permission of an APK, or uniformly grant or revoke an API permission for multiple APKs, or re-issue the API rights of the re-authorization.
  • the update process does not involve processing the entire APK or revoking the entire certificate, that is, it does not affect the continued use of other permissions of the APK, which improves the user experience and does not expand the scope of the interests of the authorized APK vendors; at the same time, the user does not need to re-download the update APK. It ensures that the certificate and authorized API permissions can be updated or disabled in time, eliminating the abuse of certificates and API permissions, thus ensuring the security of the user terminal.
  • FIG. 3 is a schematic flowchart diagram of a method for updating a rights according to an embodiment of the present invention.
  • the method can include:
  • Step 310 The terminal device acquires the first permission list.
  • the terminal device After the terminal device is connected to the network, when it is detected that the current system version is low or the associated server has an application update, the terminal device needs to obtain the first permission list of the application to perform permission update on the currently installed application.
  • the first permission list is a permission list after the server updates the permission to the application on the application distribution service, or the first permission list is a permission list after the permission is updated for the currently installed application of the terminal device, that is, the first permission list. It can include only the changed API permissions corresponding to all APKs, and can also include changed API permissions and unchanged API permissions for all APKs.
  • the first privilege list may include only the changed API privilege corresponding to the APK currently installed by the terminal device, and may also include the changed API privilege corresponding to the currently installed APK of the terminal device and the unmodified API privilege.
  • all APKs are applications provided by the application distribution service on the terminal device served by the server, that is, all APKs are applications that the server can control.
  • the APK in the API license platform of the server may include NetEase mailbox, Tencent video, Taobao, and Meituan, and the correspondence between the above APK and the corresponding API is as shown in Table 3.
  • APK package name API authorization file Corresponding API NetEase mailbox NO.20151xxx Read contact permissions, read calendar permissions
  • change Wi-Fi permissions Meituan NO.20154xxx Get precise location permissions
  • the authorization file corresponding to the NetEase mailbox is NO.20151xxx, the corresponding API is to read the contact authority and read the calendar permission; the authorization file corresponding to the Tencent video is NO.20152xxx, and the corresponding API is to obtain the precise location permission;
  • the authorization file corresponding to Taobao is NO.20153xxx, the corresponding API is to read the contact authority and change the Wi-Fi permission; the authorization file corresponding to the US group is NO.20154xxx, and the corresponding API is to obtain the precise location permission.
  • the terminal device obtains the first permission list from the server, as shown in FIG. 4:
  • the terminal device may receive a system message sent by the server, and the system message includes a first permission list, so that the terminal device obtains the first permission list.
  • the first permission list is an updated permission list of all the APKs, and before the terminal device obtains the first permission from the server, the API token platform of the server applies the application provided by the distribution service to the terminal device served by the server. The permissions are updated to generate a first permission list.
  • the API token platform of the server checks that the NetEase mailbox has violations, it needs to disable its corresponding permissions.
  • the API token platform updates Table 3.
  • the permission update list may only include API permissions corresponding to the changed APK (such as Table 4) and API permissions corresponding to the changed APK and API permissions corresponding to the unchanged APK (eg table 5).
  • APK package name API authorization file Corresponding API NetEase mailbox NO.20151xxx Read contact permissions, read calendar permissions Tencent video NO.20152xxx Get precise location permissions, retrieve running application permissions Meituan NO.20154xxx Get precise location permissions, retrieve running application permissions
  • APK package name API authorization file Corresponding API NetEase mailbox NO.20151xxx Read contact permissions, read calendar permissions
  • Tencent video NO.20152xxx Get precise location permissions retrieve running application permissions Taobao NO.20153xxx Read contact permissions, change Wi-Fi permissions Meituan NO.20154xxx Get precise location permissions, retrieve running application permissions
  • the terminal device may send a trigger message to the API license platform of the server, where the trigger message may include the identifier information of the terminal device.
  • the identification information may be device number information of the terminal device or user account information corresponding to the terminal device, such as user identity information such as the user's mobile phone number and user mailbox number.
  • the API token platform of the server obtains the APK currently installed by the terminal device according to the identifier information of the terminal device, and updates the permission of the currently installed application of the terminal device to generate the first A list of permissions.
  • the API token platform of the server sends the response message of the trigger message to the terminal device, where the response message may include a first permission list, where the first permission list is an API update list corresponding to the APK currently installed by the terminal device.
  • the trigger message may further include one or more of an APK list of the terminal device, an installation status of the corresponding APK, an APK list currently installed by the terminal device, and server account information of the terminal device.
  • the API token platform queries whether the APK currently installed by the terminal device exists in the updated permission list of all the APKs. If not, the API token platform sends a response message to the terminal device, and the response message may include the indication information. To indicate that the terminal device does not have an API permission update. If the API token platform sends a response message to the terminal device, the response message may include a first permission list to indicate that the terminal device has an update of the API authority.
  • Step 320 The terminal device updates the permission list of the application currently installed by the terminal device according to the first permission list, and generates a second permission list of the terminal device, so that the terminal device controls the currently installed application according to the second permission list. management.
  • update refers to recording, waiting for the APK to check when applying for API permission during use.
  • a list of currently installed APKs and corresponding API permissions stored locally by the terminal device is shown in Table 6.
  • APK package name API authorization file Corresponding API NetEase mailbox NO.20151xxx Read contact permissions, read calendar permissions Taobao NO.20153xxx Read contact permissions, change Wi-Fi permissions Meituan NO.20154xxx Get precise location permissions
  • the authorization file corresponding to the currently installed NetEase mailbox is NO.20151xxx, and the corresponding API is the read contact permission and the read calendar permission;
  • the currently installed Taobao authorization file is NO.20153xxx, and the corresponding API is Read the contact rights and change the Wi-Fi rights;
  • the currently installed US group's authorization file is NO.20154xxx, and the corresponding API is to obtain the precise location permission.
  • the terminal device pops up a prompt box prompting the user whether to update, and when the user selects to perform the update, the terminal device uses the first permission list and the application information of the terminal device (for example, the number of the installed APK, the category, and the like), determine the APK to be updated by the terminal device, and update the rights corresponding to the updated APK, and obtain the updated permission list, and the updated permission list is the terminal device.
  • Two permission lists For example, the number of the installed APK, the category, and the like, determine the APK to be updated by the terminal device, and update the rights corresponding to the updated APK, and obtain the updated permission list, and the updated permission list is the terminal device.
  • the terminal device determines, according to the obtained first permission list and the application information of the terminal device, a locally stored list of rights of the currently installed APK to be updated, and the currently installed updated APK has a permission list as shown in Table 7. .
  • the terminal device pops up a prompt box prompting the user whether to update, when the user selects to perform the update, the terminal device Directly receiving the first permission list sent by the API token platform, the terminal device updates the locally stored APK to be updated according to the first permission list, and obtains the updated permission list, where the updated permission list is the terminal device.
  • the second permission list the terminal device
  • an APK such as WeChat
  • an API permission such as using the network interface permission
  • the method of the above embodiment of the present invention adopts refined control to specifically disable certain API permissions, by simply reclaiming or granting an API permission, or by separately binding the authorization file with an API permission to achieve a one-time operation.
  • To grant or reclaim an API permission the user does not need to re-download the update APK, so that the user has no perception, thereby improving the user experience and reducing conflicts of interest between the two parties.
  • the following is an example of obtaining the first permission list sent by the server through the terminal device. Use the process.
  • FIG. 5 is a schematic flowchart of a permission disabling method according to an embodiment of the present invention.
  • the method can include:
  • Step 500 The API token platform updates the API permissions of each APK according to the violation behavior of the vendor feedback or the violation of the APK, forms a first permission list, and broadcasts and issues the first permission list to the online terminal device, the first permission The list is a list of permissions for all APKs after the update.
  • Step 510 The terminal device receives the first permission list and stores it locally.
  • Step 520 The terminal device determines, according to the installation situation of the local APK and the first permission list, the APK of the terminal device to be updated with the API authority.
  • Step 530 The terminal device updates, according to the first permission list, a second permission list corresponding to the APK to which the API permission is to be updated, where the second permission list is a corresponding permission list of the currently installed APK locally stored by the terminal device.
  • Step 540 The APK applies for an API permission during the running process, and the terminal device first determines whether the authorization certificate of the APK is legal. If it is not legal, step 550 is performed. If it is legal, step 560 is performed.
  • Step 550 rejecting the application of the API permission of the current time.
  • Step 560 The end device determines the validity of the API authorization file of the APK (that is, checks whether the signature information of the authorization file or the public key is true). If it is legal, go to step 570. If not, go to step 550.
  • Step 570 The terminal device queries the updated second permission list to determine whether the APK has the right to apply for the API permission. If yes, go to step 480. If not, go to step 590.
  • Step 580 The API permission of the APK is disabled in the second permission list, and the terminal device rejects the application of the current API permission.
  • Step 590 The API permission of the APK is not in the second permission list, and the terminal device allows the application of the current API permission (not disabled).
  • the above method can specifically disable the API permission, and does not involve processing the entire APK or revoking the entire certificate.
  • the method does not affect the continued use of the APK, and does not expand the scope of damage to the authorized APK vendors; the user does not need to re-download the update APK, so that the user has no perception, thereby improving the user experience and reducing the conflict of interest between the two parties.
  • the foregoing method is not limited to the disabling of the API privilege, and is also applicable to the scenario of granting or revoking the API privilege, and replacing or re-authorizing the privilege of the API.
  • the following takes the first permission list delivered by the server in the terminal device mode 2 as an example to describe in detail the process of granting or revoking individual rights.
  • FIG. 6 is a schematic flowchart of a method for granting or revoking rights according to an embodiment of the present invention.
  • the method can include:
  • Step 600 The API token platform updates the API permissions of each APK according to the violation behavior reported by the vendor or the violation event of the APK, and forms an updated permission list of all the APKs.
  • Step 610 The terminal device sends a trigger message to the API license platform of the server, where the trigger message may include the identifier information of the terminal device to request the first permission list, where the first permission list is an API update corresponding to the APK currently installed by the terminal device. List.
  • Step 620 The API token platform determines an APK currently installed by the terminal device according to the identifier information of the terminal device.
  • Step 630 The API token platform determines whether there is an APK currently installed by the terminal device in the updated permission list of all the APKs. If not, step 640 is performed; if yes, step 650 is performed.
  • Step 640 The API token platform sends a response message to the terminal device, where the response message may include indication information to indicate that the terminal device does not have an update of the API authority.
  • Step 650 The API token platform filters out the first permission list required by the terminal device, and sends a response message to the terminal device, where the response message may include the first permission list.
  • Step 660 The terminal device updates, according to the first permission list, a second permission list corresponding to the APK to which the API permission is to be updated, where the second permission list is a corresponding permission list of the currently installed APK locally stored by the terminal device.
  • Step 670 The APK applies for an API permission during the running process, and the terminal device first determines whether the authorization certificate of the APK is legal. If it is not legal, go to step 680. If it is legal, go to step 690.
  • step 680 the application for the API permission of this time is rejected.
  • Step 690 The terminal device determines the validity of the API authorization file of the APK (that is, checks whether the signature information of the authorization file or the public key is true). If it is legal, go to step 700. If not, go to step 680.
  • Step 700 The terminal device queries the updated second permission list to determine whether the APK has the right to apply for the API permission. If yes, go to step 710. If not, go to step 720.
  • Step 710 The API permission of the APK is disabled in the second permission list, and the terminal device rejects the application of the current API permission.
  • Step 720 The API permission of the APK is not in the second permission list, and the terminal device allows the application of the current API permission (not disabled).
  • an authorization file can control multiple APKs at the same time, and the management of the API is convenient and simple, thereby improving the user experience and reducing conflicts of interest between the two parties.
  • the embodiment of the present invention corresponding to the foregoing method further provides a terminal device.
  • the terminal device may include a receiving unit 810 and a processing unit 820.
  • the processing unit may include a rights update unit and a rights check unit.
  • the receiving unit 810 is configured to obtain a first permission list from an API token platform of the server, where the first permission list is a permission list after the server updates the permission on the application on the application distribution service, or the first permission list is the current installation of the terminal device.
  • the application updates the permission list after the permission, and the server distributes the server corresponding to the application of the terminal device.
  • the processing unit (or the authority update unit) 820 is configured to update the permission list of the application currently installed by the terminal device according to the first permission list, and generate a second permission list of the terminal device, so that the terminal device is configured according to the second permission list. Control or manage the currently installed application.
  • the terminal device may further include a sending unit 830.
  • the first permission list is a permission list after the permission is updated for the application currently installed by the terminal device, and the sending unit 830 is configured to send a trigger message to the server, where the trigger message includes the identification information of the terminal device, where the identifier information is used to enable the server to identify the identifier according to the identifier.
  • the information is sent to the terminal device, and the response message includes a first permission list.
  • the first privilege list is a privilege list after the server updates the privilege to the application on the application distribution service
  • the receiving unit 810 is further configured to receive the system message sent by the server broadcast, where the system message includes the first privilege List.
  • the first permission list includes the modified rights to the at least one application.
  • the first permission list includes rights granted or revoked to the at least one application.
  • the first permission list includes rights after reauthorizing the at least one application.
  • the processing unit (or the rights update unit) 820 is specifically configured to: according to the first permission list, update the permission of the currently installed application permission list, and obtain an updated permission list, where the updated permission list is The second permission list of the terminal device.
  • the processing unit (or the permission checking unit) 820 is further configured to: when applying for a permission, identify the authorization certificate of the applied authority and the legality of the authority authorization file of the corresponding application of the permission; And the permission authorization file of the corresponding application of the permission is legal, and the second permission list includes the permission of the application, and the application for the permission of the application is completed.
  • the embodiment of the present invention corresponding to the foregoing method further provides another terminal device.
  • the terminal device may include a receiver 910, a processor 920, a transmitter 930, and a storage 940.
  • Receiver 910 and transmitter 930 can be antennas.
  • Processor 920 can be a central processing unit (CPU), or a combination of a CPU and a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL), or any combination thereof.
  • the memory 940 may include a volatile memory such as a random-access memory (RAM); the memory 940 may also include a non-volatile memory such as a read-only memory (read) -only memory, ROM), flash memory, hard disk drive (HDD) or solid-state drive (SSD). Memory 940 can also include a combination of the above types of memory.
  • the memory 940 stores the program code and can transfer the stored program code to the processor 920.
  • the receiver 910 is configured to obtain a first permission list from an API token platform of the server.
  • the first permission list is a permission list after the server updates the permission to the application on the application distribution service, or the first permission list is a permission list after the permission is updated by the currently installed application of the terminal device.
  • the server is a server corresponding to the application distribution service of the terminal device.
  • the processor 920 is configured to update the permission list of the currently installed application of the terminal device according to the first permission list, and generate a second permission list of the terminal device, so that the terminal device controls the currently installed application according to the second permission list or management.
  • the first privilege list is an updated privilege list of the application currently installed by the terminal device
  • the sender 930 is configured to send a trigger message to the server, where the trigger message includes the identifier information of the device.
  • the identifier information is used to enable the server to determine, according to the identifier information, the application currently installed by the device, and send a response message to the device, where the response message may include the first permission list.
  • the first privilege list is a privilege list after the server updates the privilege to the application on the application distribution service, and the receiver is further configured to receive the system message sent by the server broadcast, where the system message includes the first privilege list.
  • the first permission list includes the modified rights to the at least one application.
  • the first permission list includes rights granted or revoked to the at least one application.
  • the first permission list includes rights after reauthorizing the at least one application.
  • the processor 920 is configured to: update the permission list of the currently installed application of the terminal device according to the first permission list and the application currently installed by the device, and obtain the second permission list of the terminal device.
  • the processor 920 is further configured to: when the device applies for a permission, identify an authorization certificate of the applied authority and a legal authorization file of the corresponding application of the permission; if the authorization certificate and the authority of the authority The permission authorization file of the corresponding application is legal, and the second permission list includes the permission of the application, and the application for the permission of the application is completed.
  • Non-transitory medium such as random access memory, read only memory, flash memory, hard disk, solid state disk, magnetic tape, floppy disk, optical disc, and any combination thereof.

Landscapes

  • Telephonic Communication Services (AREA)

Abstract

Des modes de réalisation de la présente invention portent sur un procédé et un système de mise à jour d'autorisations. Le procédé peut comprendre les étapes suivantes : un dispositif terminal acquiert une première liste d'autorisations à partir d'un serveur, la première liste d'autorisations étant une liste d'autorisations obtenue après que le serveur a mis à jour des autorisations d'une application sur un service de distribution d'applications, ou la première liste d'autorisations étant une liste d'autorisations obtenue après que les autorisations d'une application actuellement installée sur le dispositif terminal ont été mises à jour, et le serveur étant un serveur correspondant au service de distribution d'applications du dispositif terminal; le dispositif terminal met à jour, selon la première liste d'autorisations, la liste d'autorisations de l'application actuellement installée sur le dispositif terminal, pour générer une seconde liste d'autorisations du dispositif terminal, de telle sorte que le dispositif terminal commande ou gère l'application actuellement installée selon la seconde liste d'autorisations. Ce procédé utilise une commande granulaire pour activer ou désactiver spécifiquement une autorisation API, ou pour accorder ou retirer des autorisations API valables une fois. Un utilisateur n'a pas besoin de re-télécharger et de remettre à jour un APK, ce qui permet d'améliorer l'expérience de l'utilisateur et de réduire les conflits d'intérêt entre deux parties.
PCT/CN2017/093025 2017-03-21 2017-07-14 Procédé de mise à jour d'autorisations et dispositif terminal Ceased WO2018171092A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201780028139.9A CN109076126B (zh) 2017-03-21 2017-07-14 权限更新方法和终端设备

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710170715 2017-03-21
CN201710170715.5 2017-03-21

Publications (1)

Publication Number Publication Date
WO2018171092A1 true WO2018171092A1 (fr) 2018-09-27

Family

ID=63583928

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/093025 Ceased WO2018171092A1 (fr) 2017-03-21 2017-07-14 Procédé de mise à jour d'autorisations et dispositif terminal

Country Status (2)

Country Link
CN (1) CN109076126B (fr)
WO (1) WO2018171092A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230188519A1 (en) * 2020-08-06 2023-06-15 Huawei Technologies Co., Ltd. Method and system for invoking application programming interface, and apparatus

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11550558B2 (en) 2016-02-12 2023-01-10 Nutanix, Inc. Virtualized file server deployment
US11568073B2 (en) 2016-12-02 2023-01-31 Nutanix, Inc. Handling permissions for virtualized file servers
CN111222122A (zh) * 2019-12-31 2020-06-02 航天信息股份有限公司 应用权限管理方法、装置及嵌入式设备
CN111753701B (zh) * 2020-06-18 2023-08-15 百度在线网络技术(北京)有限公司 应用程序的违规检测方法、装置、设备和可读存储介质
CN114065229A (zh) * 2020-07-31 2022-02-18 华为技术有限公司 一种权限管理方法及终端设备
CN115202559A (zh) * 2021-04-08 2022-10-18 华为技术有限公司 权限管理方法及相关设备
CN115422521B (zh) * 2022-08-31 2025-08-15 重庆长安汽车股份有限公司 一种车机系统应用权限管理方法、装置、设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102200922A (zh) * 2011-04-06 2011-09-28 宇龙计算机通信科技(深圳)有限公司 应用程序安装方法和终端
CN103761471A (zh) * 2014-02-21 2014-04-30 北京奇虎科技有限公司 基于智能终端设备安装应用程序的方法与装置
CN103905651A (zh) * 2014-04-30 2014-07-02 北京邮电大学 智能终端中应用权限管理方法及系统
CN104125335A (zh) * 2014-06-24 2014-10-29 小米科技有限责任公司 权限管理方法、装置及系统

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9578085B2 (en) * 2011-02-28 2017-02-21 Unwired Nation Mobile application system
ES2626552T3 (es) * 2013-08-23 2017-07-25 Huawei Device Co., Ltd. Método y aparato de gestión de permisos y terminal
CN104462889B (zh) * 2013-09-12 2019-04-30 腾讯科技(深圳)有限公司 一种应用权限管理方法及装置
CN105320882A (zh) * 2014-07-28 2016-02-10 腾讯科技(深圳)有限公司 一种应用程序权限控制方法及装置
CN105630518A (zh) * 2014-10-28 2016-06-01 北京娜迦信息科技发展有限公司 Android应用软件资源更新的方法和装置
EP3236382A4 (fr) * 2015-02-09 2017-12-13 Huawei Technologies Co., Ltd. Procédé et contrôleur pour le contrôle de permissions d'application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102200922A (zh) * 2011-04-06 2011-09-28 宇龙计算机通信科技(深圳)有限公司 应用程序安装方法和终端
CN103761471A (zh) * 2014-02-21 2014-04-30 北京奇虎科技有限公司 基于智能终端设备安装应用程序的方法与装置
CN103905651A (zh) * 2014-04-30 2014-07-02 北京邮电大学 智能终端中应用权限管理方法及系统
CN104125335A (zh) * 2014-06-24 2014-10-29 小米科技有限责任公司 权限管理方法、装置及系统

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230188519A1 (en) * 2020-08-06 2023-06-15 Huawei Technologies Co., Ltd. Method and system for invoking application programming interface, and apparatus

Also Published As

Publication number Publication date
CN109076126A (zh) 2018-12-21
CN109076126B (zh) 2020-09-18

Similar Documents

Publication Publication Date Title
CN109076126B (zh) 权限更新方法和终端设备
US12250220B2 (en) Certificate based profile confirmation
JP6599341B2 (ja) 動的ネットワークアクセス管理のための方法、デバイスおよびシステム
CN112771826B (zh) 一种应用程序登录方法、应用程序登录装置及移动终端
US11025604B2 (en) Methods and apparatus for providing access to a service
US10911939B2 (en) Embedded universal integrated circuit card profile management method and apparatus
CN107079286B (zh) 使用识别模块更改简档的方法及实现方法的电子装置
US8208900B2 (en) Secure device configuration profiles
US10187425B2 (en) Issuing security commands to a client device
US10673639B1 (en) Dynamic object creation and certificate management
CN106506511B (zh) 一种通讯录信息处理方法、装置
CN109716805B (zh) 一种签约数据集的安装方法、终端及服务器
KR20160089436A (ko) 모바일 정보 디바이스들 상에서 원격 콘텐트 및 설정 제어를 위한 관리되는 도메인들
CN108540433A (zh) 用户身份校验方法及装置
CN108848113A (zh) 客户端设备登录控制方法、装置、存储介质及服务器
CN111418181B (zh) 共享数据处理方法、通信装置及通信设备
CN107852598B (zh) 基于无线设备标识符来规避无线设备空间跟踪
WO2016180223A1 (fr) Procédé de gestion de dispositif de communication sans fil, et dispositif de communication sans fil
CN112106376B (zh) 被配置为机顶盒的通用流媒体设备
US20240220145A1 (en) Systems and methods of remote data storage
WO2024064942A1 (fr) Systèmes et procédés de réduction de risque d'identité et d'accès informés par signalisation de risque et posture de dispositif
CN119312372A (zh) 一种设备资源解密方法、装置、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17902233

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17902233

Country of ref document: EP

Kind code of ref document: A1