CN118646604B - Method and device for performing network access on application in intelligent terminal equipment - Google Patents

Abstract

The invention discloses a method and a device for network access of an application in intelligent terminal equipment, which are applied to the intelligent terminal equipment comprising system services and network driving, wherein the method comprises the following steps: the system service determines an application network setting type according to the called interface type, if the application network setting type is the first type, network access configuration information in the application configuration information is acquired, the network access configuration information is taken as a parameter to be transmitted into a network driver, and the network driver configures the network access configuration information into a filtering white list rule table; when receiving a network connection request initiated by an application, the system service monitors a network response data packet through a network driver, and allows access to a network when determining that the IP address of a responder in the network response data packet is identical to the configured network access configuration information. The scheme realizes the function that the application can perform security operation processing in the appointed network environment, and avoids risks such as data leakage caused by network security problems.

Description

A method and device for network access by application in intelligent terminal device

Technical Field

The present invention relates to the field of intelligent terminal security, and in particular to a method and device for performing network access by an application in an intelligent terminal device.

Background Art

Smart terminals are a type of embedded computer system equipment. With the rapid development of information technology, smart terminal products have also emerged in the payment field, such as smart POS devices. Smart POS devices are a type of smart terminal equipment that integrates payment, settlement, identification, printing and other functions. Smart POS devices provide more efficient and convenient services by integrating various advanced technologies and software, bringing a new experience to merchants and consumers. Among them, the integrated software part includes system software and application software.

In the prior art, application software in smart terminal devices usually need to connect to the network to complete specific operations, which may cause other applications (malware or programs) to obtain operation data through the network, resulting in data leakage. In addition, in the prior art, applications in smart terminal devices do not have the authority to set the network to be accessed. Therefore, how to solve the data security problem during the operation of application software in smart terminal devices has become a technical problem that needs to be solved urgently.

Summary of the invention

In order to solve the above technical problems, the present invention provides a method and device for an application in a smart terminal device to access a network. The technical solution is as follows:

According to a first aspect of the present invention, the present invention provides a method for an application in an intelligent terminal device to access a network, the method comprising:

Step S1, the system service determines the application network setting type according to the called interface type, and if the application network setting type is the first type, executes step S2;

Step S2, the system service obtains the application configuration information passed in through the called first preset interface, and determines whether there is user firewall authority information according to the application configuration information, and if yes, executes step S3, otherwise ends;

Step S3, the system service obtains a custom IP address list, saves the network access configuration information in the application configuration information into the custom IP address list, and passes the network access configuration information into the network driver as a parameter;

Step S4, the network driver configures the network access configuration information into the filtering whitelist rule table through a configuration instruction, and ends;

The method further comprises:

Step F1: When the system service receives a network connection request initiated by an application in the intelligent terminal device, the system service monitors a network response data packet through the network driver;

Step F2, when the network driver monitors the network response data packet, the network driver determines whether there is network access configuration information in the filtering whitelist rule table, if yes, executes step F3, otherwise returns the network response data packet to the system service, and executes step F4;

Step F3, the network driver determines whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table, if so, returns the network response data packet to the system service, and executes step F4, otherwise discards the network response data packet, returns an error to the system service, and executes step F5;

Step F4, the system service returns the network response data packet to the application;

Step F5: The system service returns an error to the application.

According to a second aspect of the present invention, an embodiment of the present invention provides a device for setting application access network in an intelligent terminal device, characterized in that the device includes: a system service and a network driver;

The system services include:

A first determination module, configured to determine the application network setting type according to the called interface type, and trigger a first acquisition judgment module if the application network setting type is the first type;

The first acquisition and judgment module is used to obtain application configuration information passed in through the called interface, and judge whether there is user firewall permission information according to the application configuration information;

an acquisition and saving module, configured to acquire a custom IP address list when the first acquisition and judgment module determines that there is user firewall permission information, save the network access configuration information in the application configuration information into the custom IP address list, and pass the network access configuration information as a parameter into the network driver;

The network driver includes: a configuration module, configured to configure the network access configuration information into a filtering whitelist rule table through configuration instructions;

The system services also include:

A receiving module, used to receive a network connection request initiated by an application in the intelligent terminal device, and upon receiving the request, monitor a network response data packet through the network driver, and also used to receive a network response data packet sent by the network driver;

a sending module, used to return the network response data packet to the application, and also used to return an error to the application;

The network driver also includes:

A first judgment module is used to monitor the network response data packet, and when the network response data packet is monitored, it is determined whether there is network access configuration information in the filtering whitelist rule table, and if yes, the second judgment module is triggered, otherwise, the network response data packet is returned to the system service;

The second judgment module is used to judge whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table. If so, the network response data packet is returned to the system service; otherwise, the network response data packet is discarded and an error is returned to the system service.

According to a third aspect of the present invention, an embodiment of the present invention provides a computer device, including a memory, a processor, and a computer program stored in the memory, wherein the processor executes the computer program to implement a method for network access by an application in a smart terminal device as described in the first aspect above.

According to a fourth aspect of the present invention, an embodiment of the present invention provides a computer-readable storage medium having a computer program/instruction stored thereon, which, when executed by a processor, implements a method for an application in an intelligent terminal device to access a network as described in the first aspect above.

According to a fifth aspect of the present invention, an embodiment of the present invention provides a computer program product, including a computer program/instruction, which, when executed by a processor, implements a method for network access by an application in a smart terminal device as described in the first aspect above.

The beneficial effects brought about by the technical solution provided by the embodiment of the present invention include at least:

The present invention provides a method and device for network access by applications in an intelligent terminal device. The system service and the network driver set the network access setting information specified by the application according to the determined application network setting type, thereby solving the security problem of the inability to set network access due to the lack of permission of the application in the prior art, and realizing the function that the application can access and operate securely in a specified network environment, thereby avoiding the risks of data leakage caused by network security problems.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

1 is a schematic diagram of a flow chart of network settings in a method for performing network access by an application in an intelligent terminal device provided in a first embodiment of the present invention;

2 is a schematic diagram of a method for performing network access by an application in a smart terminal device provided in Embodiment 1 of the present invention;

3 is a schematic diagram of a method for generating an APK file to be installed in a method for performing network access by an application in a smart terminal device provided in Embodiment 2 of the present invention;

4 is a flowchart of a method for performing network access by an application in a smart terminal device when an application is first installed provided by Embodiment 2 of the present invention;

5 is a flowchart of a method for performing network access by an application in a smart terminal device implemented during application upgrade installation provided by Embodiment 2 of the present invention;

6 is a flowchart of a method for an application in a smart terminal device to access a network when a third-party application calls a POS management service provided in Embodiment 3 of the present invention;

FIG. 7 is a flow chart of a method for performing network access by an application in a smart terminal device provided in a fourth embodiment of the present invention.

DETAILED DESCRIPTION

In order to make the objectives, technical solutions and advantages of the present invention more clear, the embodiments of the present invention will be further described in detail below with reference to the accompanying drawings.

When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Instead, they are only examples of devices and methods consistent with some aspects of the present invention as detailed in the attached claims.

To make the purpose, technical solution and advantages of the present invention more clear, a method for an application in a smart terminal device to access a network provided by an embodiment of the present invention will be described in detail below with reference to the accompanying drawings.

Embodiment 1

Embodiment 1 of the present invention provides a method for an application in an intelligent terminal device to access a network. As shown in FIG. 1 and FIG. 2 , the intelligent terminal device includes a system service and a network driver. The method includes:

Step 101, the system service determines the application network setting type according to the called interface type, and if the application network setting type is the first type, execute step 102;

Step 102: The system service obtains the application configuration information passed in through the called first preset interface, and determines whether there is user firewall permission information according to the application configuration information. If yes, execute step 103; otherwise, terminate;

Step 103: The system service obtains a custom IP address list, saves the network access configuration information in the application configuration information into the custom IP address list, and passes the network access configuration information as a parameter to the network driver;

Step 104: The network driver configures the network access configuration information into the filtering whitelist rule table through the configuration instruction, and ends;

The method further includes:

Step 201: When the system service receives a network connection request initiated by an application in the intelligent terminal device, the system service monitors the network response data packet through the network driver;

Step 202, when the network driver monitors the network response data packet, the network driver determines whether there is network access configuration information in the filtering whitelist rule table, if yes, execute step 203, otherwise return the network response data packet to the system service, execute step 204;

Step 203, the network driver determines whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table. If so, the network response data packet is returned to the system service and step 204 is executed. Otherwise, the network response data packet is discarded, an error is returned to the system service, and step 205 is executed.

Step 204: The system service returns a network response data packet to the application;

Step 205: The system service returns an error to the application.

In an practicable manner, the method further includes, when the system service determines that the application network setting type is the second type according to the called interface type, executing the following steps:

Step 105, the system service obtains the application configuration information transmitted through the called second preset interface, and determines whether there is user firewall permission information according to the application configuration information, and if yes, executes step 106, otherwise ends;

Step 106, the system service obtains the custom IP address list, determines whether there is network access configuration information in the custom IP address list, if yes, deletes the network access configuration information in the custom IP address list, passes the network access configuration information as a parameter to the network driver, and executes step 107, otherwise, ends;

Step 107: The network driver deletes the network access configuration information from the filtering whitelist rule table through a deletion instruction, and the process ends;

Specifically, the system service determines the application network setting type according to the type of the called interface: when the first preset interface of the system service is called, the system service determines the application network setting type as the first type; when the second preset interface of the system service is called, the system service determines the application network setting type as the second type.

In one practicable manner, the system service includes a package management service, and before step 101, the following is further included:

Step 1101: The package management service obtains the APK file of the application to be installed;

Step 1102: The package management service calls an API interface to parse the manifest file in the APK file of the application to be installed, and obtains configuration startup item information;

Step 1103: The package management service determines the network access configuration type according to the configuration startup item information, and calls the interface of the system service according to the network access configuration type.

Specifically, in one implementable method, in step 1103, the interface of calling the system service is as follows: the package management service obtains the user firewall permission information and network access configuration information in the manifest file, organizes the network access configuration information and the user firewall permission information to obtain the application configuration information, and calls the interface of the system service to pass in the application configuration information as a parameter.

Specifically, in an implementable manner, the method further includes generating an APK file of the application to be installed;

Generate the APK file to be installed as follows:

Step D1, determining the network access configuration type;

Step D2: Write the configuration startup item information, network access configuration information and user firewall permission information corresponding to the network access configuration type into the manifest file according to a predetermined format to obtain the application to be installed APK file.

Specifically, in one practicable manner, in step 103, before the network access configuration information in the application configuration information is saved in the custom IP address list, the following steps are further included:

Step M21, the system service determines whether there is network access configuration information in the custom IP address list, if yes, executes step M22, otherwise, saves the network access configuration information in the application configuration information into the custom IP address list;

Step M22: The system service obtains the network access configuration information in the application configuration information, and determines whether the network access configuration information in the custom IP address list is the same as the network access configuration information in the application configuration information. If so, the process ends; otherwise, the process proceeds to step M23.

Step M23, the system service deletes the network access configuration information in the custom IP address list from the custom IP address list, passes the network access configuration information in the custom IP address list as a parameter to the network driver, and executes step M24 to save the network access configuration information in the application configuration information to the custom IP address list;

Step M24: The network driver deletes the network access configuration information in the custom IP address list from the filtering whitelist rule table through a delete instruction.

In one practicable manner, the intelligent terminal device includes a POS management service;

The process before step 101 also includes: the POS management service determines the interface type for calling the system service according to the interface type called by the third-party application, and calls the interface of the system service according to the determined interface type.

Specifically, an implementable method is to call the system service interface according to the determined interface type: the POS management service obtains the application package name, organizes the network access configuration information and the application package name to obtain the application configuration information, and calls the system service interface to pass in the application configuration information as a parameter.

One feasible way to determine whether there is user firewall permission information based on application configuration information is as follows:

The system service determines whether there is user firewall permission information based on the application package name in the application configuration information.

An implementable method, when the system service determines that there is user firewall permission information based on the application configuration information, it also includes: the system service obtains the verification data in the application configuration information to perform code verification, if the verification passes, the network configuration permission is obtained, and step 103 is executed. If the verification fails, an error is reported and the process ends. The verification data includes specified parameters, verification keys and signature data.

In an practicable manner, when the intelligent terminal device is turned off, the method further includes: the network driver deletes all network access configuration information in the filtering whitelist rule table through a deletion instruction.

In an practicable manner, when the smart terminal device is powered on and restarted, the method further includes: the system service obtains a saved custom IP address list, traverses the custom IP address list, sequentially obtains network access configuration information in the custom IP address list and passes the network access configuration information as a parameter into the network driver, and executes step 104.

In one practicable manner, in step 102, when it is determined that there is user firewall permission information according to the application configuration information, the method further includes: the system service sets firewall permission group information corresponding to the application according to the user firewall information in the application configuration information;

In step 202, before executing step 203, it also includes: the network driver determines whether the firewall permission information corresponding to the IP address of the responder in the network response data packet is the same as the firewall permission group information in the filtering whitelist rule table. If so, step 203 is executed; otherwise, an error is returned to the system service and step 205 is executed.

The present invention provides a method for network access by an application in an intelligent terminal device. The system service determines the application network setting type according to the type of the called interface, and verifies the application's authority according to the parameters passed by the application. If the verification is passed, the network access setting authority is obtained, and the network access setting information specified by the application is set according to the determined application network setting type through a network driver. This solves the problem in the prior art that secure network access cannot be set due to the application's lack of authority, and implements the function that the application can securely access and operate securely in a specified network environment, thereby avoiding the risk of data leakage caused by network security issues.

Embodiment 2

Embodiment 2 of the present invention provides a method for an application in a smart terminal device to access a network. In this embodiment, a third-party application sets up a network by installing an application installation package. As shown in FIG3 , the method flow for generating an APK file to be installed in the method for an application to access a network specifically includes:

Step 301: Determine the network access configuration type;

In this embodiment, the network access configuration types include configuration and deconfiguration;

Specifically, the network access configuration type is defined as a preset value of the configuration startup item information, the first preset value is true, indicating that the network access configuration type is configuration, and the second preset value is false, indicating that the network access configuration type is cancellation of configuration;

For example, if the startup item is defined as whitelist_enable, the value of the startup item whitelist_enable is true.

Step 302: Write the configuration startup item information, network access configuration information and user firewall permission information corresponding to the network access configuration type into the manifest file according to a predetermined format to obtain an APK file of the application to be installed.

In this embodiment, the network access configuration information includes an IP address and/or a domain name; the user firewall permission information includes a user firewall level; first, the preset user firewall level android.permission.CONTROL_FIREWALL_RULED must be added in platform.xml and AndroidManifest.xml;

For example, the IP address is defined as whitelist_ip, the domain name is defined as whitelist_host; the value corresponding to the IP address whitelist_ip is 192.168.8.102, and the value corresponding to the domain name whitelist_host is www.ftsafe.com; the user firewall permission information is defined as android.permission.CONTROL_FIREWALL_RULED;

Specifically, APK (Android application package) refers to the Android application package, which is a file format in the Android system. The APK file contains all the files of the application, including static resource files (assets), library files (lib), signature files (META-INF), compiled resource files (res), manifest files (AndroidManifest.xml), core code files (classes. Dex) and resource mapping files (resources.arsc) and other information. For example, the manifest file is:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"

xmlns:tools="http://schemas.android.com/tools"

package="com.ft.myapplication">

<users-permission android:name="android.permission.INTERNET" />

<uses-permission android:name=" CONTROL_FIREWALL_RULED" />

<application

android:allowBackup="true"

android: icon="@mipmap/ic_launcher"

android: label="@string/app_name"

android: round Icon="@mipmap/ic_launcher_round"

android: supportsRtl="true"

android: theme="@style/AppTheme"

android: usesCleartextTraffic="true"

tools:targetApi="m">

<meta-data android: name="WebView whitelist" android: value="true"/>

<meta-data android: name="hostname_whitelist" android: value="https://rc-odhenpos.teknisa.cloud"/>.

Specifically, the manifest file (AndroidManifest.xml) is a compiled file that describes the application's manifest information, including important information such as package name, application name, permissions, four major components of Android, version, etc. When packaging an application, the AndroidManifest.xml file is automatically generated and packaged into the APK file. When installing an application, the Android system reads this file to determine the application's basic information and permission requirements.

In one practicable manner, the predetermined format in step 302 is specifically a key-value pair format;

For example, configure the startup item information as:

name: whitelist_enabled value: true/false

The network access configuration information is:

name: whitelist_ip value: 192.168.8.102

name: whitelist_host value: www.ftsafe.com;

In an implementable manner, the manifest file also includes verification parameters, keys, and signature data;

The verification parameter may be a random number, and the signature data is specifically obtained by performing MD5 calculation on the verification parameter using a key.

Furthermore, an embodiment of the present invention provides a method for network access by an application in a smart terminal device, as shown in FIG4 and FIG5 , the method includes a process of installing an application through an installation package, and before executing the installation process of the application in the method, it also includes writing and updating a preset interface into an Android system, specifically, the Android system includes a system service (System Server, referred to as SS) and a network driver, and further, the system service includes a package management service (PackageManagerService, referred to as PKMS), a first connection service;

One practicable manner is shown in FIG4 . In this embodiment, accessing the network setting is performed during the first installation of the application. The method specifically includes:

Step 401: The package management service obtains the APK file of the application to be installed;

In the Android system, when the system starts, the system service starts the package management service, and the package management service performs the application installation operation;

Specifically, the system starts the package management service by calling a preset method, and the preset method is PackageManagerService.installPackage;

An implementable method is to install the application through adb install.

Step 402: The package management service calls the first API interface to parse the manifest file in the APK file of the application to be installed, and obtains configuration startup item information;

Specifically, the first API interface is install Package();

In an practicable manner, calling the first API interface to parse the manifest file in the APK file to be installed of the application is specifically as follows: parsing the manifest file in the APK file to be installed of the application through a function object, and obtaining configuration startup item information in the manifest file;

Specifically, the function object is PackageParser.

Step 403: The package management service determines the network access configuration type according to the configuration startup item information. If the network access configuration type is configuration, step 404 is executed.

In an implementable manner, the startup item information is configured as whitelist_enabled, and the first preset value is true;

Specifically, configuring the startup item information to be the first preset value means configuring the network accessed by the application in the terminal device. After the configuration is completed, only the IP and/or domain name specified in the network access configuration information is allowed to be accessed, and other unspecified networks are inaccessible.

Step 404: The package management service obtains the user firewall permission information and the network access configuration information in the manifest file, organizes the network access configuration information and the user firewall permission information to obtain the application configuration information, and calls the first preset interface to pass the application configuration information as a parameter to the first connection service;

In this embodiment, the package management service obtains the network access configuration information specifically including: the package management service determines whether the IP address exists in the list file, and if so, uses the IP address as the network access configuration information; otherwise, obtains the domain name in the list file, resolves the domain name to obtain the IP address, and uses the IP address as the network access configuration information;

In one practicable manner, before step 404, the package management service also includes determining whether the manifest file contains user firewall permission information, if so, adding the application corresponding to the APK file to be installed to the preset permission group, and executing step 404, if not, ending;

Specifically, adding the application corresponding to the APK file to be installed to the preset permission group is as follows: adding AID_CONTROL_FIREWALL 1098 in UIDMap and Android_filesystem_config.h.

Specifically, the first preset interface is CS.addWhitelist.

Step 405: The first connection service determines that the application network setting type is the first type according to the called interface type, obtains application configuration information, and determines whether there is user firewall permission information according to the application configuration information. If yes, execute step 406, otherwise terminate;

In one practicable manner, the first connection service includes a network connection service (Connectivity Service, CS for short) and a network management service (Network Management Service, NMS for short). In step 404, the package management service calls the first preset interface to pass the application configuration information as a parameter to the first connection service. Specifically, the package management service calls the first preset interface to pass the application configuration information as a parameter to the network connection service.

Specifically, step 405 is as follows: the network connection service determines that the application network setting type is the first type according to the called interface type, obtains the application configuration information, and determines whether there is user firewall permission information in the application configuration information. If yes, step 406 is executed, otherwise, the process ends;

Further, judging whether there is user firewall permission information is specifically as follows: judging whether there is a corresponding value of android.permission.CONTROL_FIREWALL_RULED in the application configuration information, if so, it indicates that there is user firewall permission information, otherwise, there is no user firewall permission information;

In an practicable manner, when it is determined that there is user firewall permission information according to the application configuration information, the system service obtains the verification data in the application configuration information to perform code verification, and if the verification passes, the network configuration permission is obtained, and step 406 is executed; if the verification fails, an error is reported, and the process ends, and the verification data includes the specified parameters, the verification key, and the signature data;

Specifically, the system service obtains the verification data in the application configuration information to perform code verification as follows: the system service obtains the specified parameters, the verification key and the signature data, calculates the specified parameters through the verification key to obtain the first data, and determines whether the first data is consistent with the signature data. If so, the verification passes, otherwise the verification fails.

Step 406: The first connection service obtains a custom IP address list, saves the network access configuration information in the application configuration information into the custom IP address list, and passes the network access configuration information as a parameter to the network driver;

Specifically, step 406 is as follows: the network connection service obtains the custom IP address list, saves the network access configuration information in the application configuration information into the custom IP address list, calls the first preset method to pass the network access configuration information as a parameter to the network management service, and the network management service calls the second preset method to pass the network access configuration information as a parameter to the network driver;

Specifically, the first preset method is NMS.enableWhitelist, and the second preset method is INetd.enableWhitelist.

Step 407: The network driver configures the network access configuration information into the filtering whitelist rule table through the configuration instruction, and ends.

In one practicable manner, step 407 is specifically that the network driver sends a configuration instruction to the network firewall tool, and after receiving the configuration instruction, the network firewall tool configures the incoming network access configuration information into the filtering whitelist rule table;

Specifically, the network drivers include Netd local service and firewall controller;

Furthermore, the network management service calls the second preset method to pass the network access configuration information as a parameter to the network driver specifically: the network management service calls the second preset method to pass the network access configuration information as a parameter to the Netd local service;

Further, step 407 is specifically as follows: the Netd local service passes the network access configuration information as a parameter to the firewall controller by calling the third preset method, the firewall controller sends a configuration instruction to the network firewall tool, and the network firewall tool configures the passed-in network access configuration information into the filtering whitelist rule table after receiving the configuration instruction;

Specifically, the Netd local service is NetdNativeService (NNS for short), the third preset method is FC.enableWhitelist; the firewall controller is Firewall Controller (FC for short); and the configuration instruction is specifically to add the incoming network access configuration information to the filtering whitelist rule table.

In one practicable manner, the network firewall tool executes configuration instructions using the Linux network driver technology, specifically: executing Linux iptables instructions can add network access configuration information to the filtering whitelist rule table;

Specifically, the network firewall tool maintains 4 tables and 5 chains. All data related to firewall rules will be written into these tables and chains. The 4 tables are fitler table (filter whitelist rule table), nat table (address conversion rule table), mangle table (modify data mark bit rule table), and raw table (track data rule table). The 5 chains are INPUT (inbound data filtering), OUT (outbound data filtering), FORWARD (forwarding data filtering), PREROUTING (pre-routing rules) and POSTROUNTING (post-routing rules).

For example, the firewall controller sends the iptables -P OUTPUT DROP command, and the network firewall tool discards all output data. It sends the iptables -P INPUT DROP command, and the network firewall tool discards all input data.

The firewall controller sends the iptables -I OUTPUT -s 192.168.8.102 -j ACCEPT command, and the network firewall tool can write the IP address 192.168.8.102 into the fitler table, indicating that only the output data with the IP address 192.168.8.102 is accepted, and sends the iptables -I INPUT -s 192.168.8.102 -j ACCEPT command, indicating that only the input data with the IP address 192.168.8.102 is accepted, where -I means insert;

In one practicable manner, the configuration instruction sent by the network driver includes user firewall permission group information, for example, the configuration instruction is: iptables -I OUTPUT -s 192.168.8.102 -uid-owner=1098-j ACCEPT.

In this embodiment, an implementable manner, as shown in FIG. 5 , provides another method for an application in a smart terminal device to access a network. Specifically, in this embodiment, access to the network is set to be performed during an upgrade process after the application is installed. The method specifically includes:

Step 501: The package management service obtains the APK file of the application to be installed;

In the Android system, the system starts the Package Manager Service (PKMS) and executes the process of upgrading and installing applications through the package manager service.

Specifically, the system starts the package management service by calling a preset method, and the preset method is PackageManagerService.updatePackage;

An implementable method is to install or upgrade an application by remotely pushing an APK file.

Step 502: The package management service calls the second API interface to parse the manifest file in the APK file of the application to be installed, and obtains configuration startup item information;

Specifically, the second API interface is updatePackage();

In an practicable manner, calling the second API interface to parse the manifest file in the APK file to be installed of the application is specifically as follows: parsing the manifest file in the APK file to be installed of the application through a function object, and obtaining configuration startup item information in the manifest file;

Specifically, the function object is Package Parser.

Step 503, the package management service determines the network access configuration type according to the configuration startup item information, and if the network access configuration type is configuration, execute step 504; if the network access configuration type is cancellation of configuration, execute step 512;

In an implementable manner, the startup item information is configured as whitelist_enabled, and the first preset value is true;

Specifically, if the configuration startup item information is the first preset value, it means that the network accessed by the application in the terminal device is configured. After the configuration is completed, the application is only allowed to access the IP/domain name specified in the network access configuration information, and other unspecified networks are inaccessible;

In an practicable manner, the configuration startup item information may further be specifically a second preset value; wherein the second preset value is false;

Specifically, if the configuration startup item information is the second preset value, it means that the network accessed by the application in the terminal device is canceled, that is, the application is allowed to access all networks.

Step 504: The package management service obtains the user firewall permission information and the network access configuration information in the manifest file, organizes the network access configuration information and the user firewall permission information to obtain the application configuration information, and calls the first preset interface to pass the application configuration information as a parameter to the first connection service;

In this embodiment, the package management service obtains the network access configuration information specifically including: the package management service determines whether the IP address exists in the list file, and if so, uses the IP address as the network access configuration information; otherwise, obtains the domain name in the list file, resolves the domain name to obtain the IP address, and uses the IP address as the network access configuration information;

In one practicable manner, before step 504, the package management service also includes determining whether the manifest file contains user firewall permission information, if so, adding the application corresponding to the APK file to be installed to the preset permission group, executing step 504, and if not, ending;

Specifically, adding the application corresponding to the APK file to be installed to the preset permission group specifically includes: adding AID_CONTROL_FIREWALL 1098 in UIDMap and Android_filesystem_config.h.

Specifically, the first preset interface is CS.addWhitelist;

In this embodiment, the first connection service includes: a network connection service and a network management service;

Specifically, in step 504, the package management service calls the first preset interface to pass the application configuration information as a parameter to the first connection service. Specifically, the package management service calls the first preset interface to pass the application configuration information as a parameter to the network connection service.

Step 505: The first connection service determines that the application network setting type is the first type according to the called interface type, obtains the application configuration information, and determines whether there is user firewall authority information according to the application configuration information. If yes, execute step 506, otherwise terminate;

In this embodiment, the first connection service includes: a network connection service and a network management service;

Specifically, step 505 is as follows: the network connection service determines that the application network setting type is the first type according to the called interface type, obtains the application configuration information, and determines whether there is user firewall permission information. If yes, step 506 is executed, otherwise, the process ends;

Step 506: The first connection service obtains a custom IP address list and determines whether there is network access configuration information in the custom IP address list. If yes, execute step 507; otherwise, execute step 510.

Specifically, step 506 is as follows: the network connection service obtains a custom IP address list, and determines whether there is network access configuration information in the list, if yes, executes step 507, otherwise executes step 510;

Step 507: The first connection service obtains the network access configuration information in the application configuration information, and determines whether the network access configuration information in the custom IP address list is the same as the network access configuration information in the application configuration information. If yes, the process ends; otherwise, the process proceeds to step 508.

Specifically, step 507 is as follows: the network connection service obtains the network access configuration information in the application configuration information, and determines whether the network access configuration information in the custom IP address list is the same as the network access configuration information in the application configuration information. If so, the process ends; otherwise, the process executes step 508;

Step 508: The first connection service deletes the network access configuration information in the custom IP address list from the custom IP address list, and passes the network access configuration information in the custom IP address list as a parameter to the network driver, and executes step 509;

Specifically, step 508 is as follows: the network connection service deletes the network access configuration information in the custom IP address list from the custom IP address list, calls the fourth preset method to pass the network access configuration information in the custom IP address list as a parameter to the network management service, and the network management service calls the fifth preset method to pass the network access configuration information in the custom IP address list as a parameter to the network driver;

Specifically, the fourth preset method is NMS.disableWhitelist, and the fifth preset method is INetd.disableWhitelist.

Step 509: The network driver deletes the network access configuration information in the custom IP address list from the filtering whitelist rule table through a delete instruction, and then executes step 510;

In one practicable manner, step 509 is specifically that the network driver sends a deletion instruction to the network firewall tool, and after receiving the deletion instruction, the network firewall tool deletes the network access configuration information in the input custom IP address list from the filtering whitelist rule table;

Specifically, the network drivers include Netd local service and firewall controller;

Further, the network management service calls the sixth preset method to pass the network access configuration information in the custom IP address list as a parameter to the network driver. Specifically, the network management service calls the sixth preset method to pass the network access configuration information in the custom IP address list as a parameter to the Netd local service;

Further, step 509 is specifically as follows: the Netd local service passes the network access configuration information in the custom IP address list as a parameter to the firewall controller by calling the sixth preset method, and the firewall controller sends a delete instruction to the network firewall tool, and after receiving the delete instruction, the network firewall tool deletes the network access configuration information in the custom IP address list passed in from the filtering whitelist rule table;

Step 510: The first connection service saves the network access configuration information in the application configuration information into the custom IP address list, and passes the network access configuration information in the application configuration information as a parameter to the network driver, and executes step 511;

Specifically, step 510 is as follows: the network connection service saves the network access configuration information in the application configuration information into the custom IP address list, calls the first preset method to pass the network access configuration information as a parameter to the network management service, and the network management service calls the second preset method to pass the network access configuration information as a parameter to the network driver;

Among them, the first preset method is NMS.enableWhitelist, and the second preset method is INetd.enableWhitelist.

Step 511: The network driver configures the network access configuration information in the application configuration information into the filtering whitelist rule table through the configuration instruction, and ends;

In one practicable manner, step 511 is specifically that the network driver sends a configuration instruction to the network firewall tool, and after receiving the configuration instruction, the network firewall tool configures the incoming network access configuration information into a filtering whitelist rule table;

Specifically, the network drivers include Netd local service and firewall controller;

Furthermore, the network management service calls the second preset method to pass the network access configuration information as a parameter to the network driver specifically: the network management service calls the second preset method to pass the network access configuration information as a parameter to the Netd local service;

Further, step 511 is specifically as follows: the Netd local service passes the network access configuration information as a parameter to the firewall controller by calling the third preset method, the firewall controller sends a configuration instruction to the network firewall tool, and the network firewall tool configures the passed-in network access configuration information into the filtering whitelist rule table after receiving the configuration instruction;

Specifically, the Netd local service is NetdNativeService (NNS for short), the third preset method is FC.enableWhitelist; the firewall controller is Firewall Controller (FC for short); and the configuration instruction is specifically to add the incoming network access configuration information to the filtering whitelist rule table.

Step 512: The package management service obtains the user firewall permission information and the network access configuration information in the manifest file, organizes the network access configuration information and the user firewall permission information to obtain the application configuration information, and calls the second preset interface to pass the application configuration information as a parameter to the first connection service;

Specifically, the second preset interface is CS.RemoveWhitelist.

Step 513: The first connection service determines that the application network setting type is the second type according to the called interface type, obtains application configuration information, and determines whether there is user firewall permission information according to the application configuration information. If yes, execute step 514, otherwise terminate.

In one practicable manner, the first connection service includes a network connection service and a network management service, and in step 512, the package management service calls the second preset interface to pass the application configuration information as a parameter to the first connection service, specifically: the package management service calls the second preset interface to pass the application configuration information as a parameter to the network connection service;

Specifically, step 513 is: the network connection service determines that the application network setting type is the second type according to the called interface type, obtains the application configuration information, and determines whether there is user firewall permission information in the application configuration information. If yes, step 514 is executed, otherwise, the process ends;

Further, judging whether there is user firewall permission information in the application configuration information is specifically as follows: judging whether there is a corresponding value of android.permission.CONTROL_FIREWALL_RULED in the application configuration information, if so, it indicates that there is user firewall permission information, otherwise, there is no user firewall permission information;

Step 514: The first connection service obtains a custom IP address list, determines whether there is network access configuration information in the custom IP address list, and if so, deletes the network access configuration information in the custom IP address list, and passes the network access configuration information as a parameter to the network driver, and executes step 515; otherwise, the process ends;

In an practicable manner, step 514 specifically includes: the first connection service obtains the network access configuration information in the application configuration information, obtains the custom IP address list, determines whether the network access configuration information exists in the custom IP address list, and if so, deletes the network access configuration information from the custom IP address list, passes the network access configuration information as a parameter to the network driver, and executes step 515, otherwise, ends;

Alternatively, step 514 is specifically as follows: the network connection service obtains a custom IP address list, deletes the network access configuration information in the custom IP address list, calls the fourth preset method to pass the network access configuration information as a parameter to the network management service, and the network management service calls the fifth preset method to pass the network access configuration information as a parameter to the network driver;

Specifically, the fourth preset method is NMS.disableWhitelist, and the fifth preset method is INetd.disableWhitelist.

Step 515: The network driver deletes the network access configuration information from the filtering whitelist rule table through a delete instruction, and the process ends.

In one practicable manner, step 515 is specifically that the network driver sends a deletion instruction to the network firewall tool, and the network firewall tool deletes the incoming network access configuration information from the filtering whitelist rule table after receiving the deletion instruction;

Specifically, the network drivers include Netd local service and firewall controller;

Further, the network management service calls the sixth preset method to pass the network access configuration information as a parameter to the network driver specifically: the network management service calls the sixth preset method to pass the network access configuration information as a parameter to the Netd local service;

Further, step 515 is specifically as follows: the Netd local service passes the network access configuration information as a parameter to the firewall controller by calling the sixth preset method, the firewall controller sends a deletion instruction to the network firewall tool, and after receiving the deletion instruction, the network firewall tool deletes the passed network access configuration information from the filtering whitelist rule table.

An implementable method is that when there are multiple IP addresses in the custom IP address list, the network access configuration information is passed as a parameter to the network driver in step 514 as follows: traverse and obtain the IP addresses, pass the network access configuration information as a parameter to the network driver in turn, and execute step 515 in turn until the list is empty.

In an practicable manner, when it is determined that there is user firewall permission information according to the application configuration information, the method further includes: the system service obtains the verification data in the application configuration information to perform code verification, and if the verification passes, the network configuration permission is obtained, and steps 510-511 are executed; if the verification fails, an error is reported, and the process ends, and the verification data includes the specified parameters, the verification key, and the signature data;

Specifically, the system service obtains the verification data in the application configuration information to perform code verification as follows: the system service obtains the specified parameters, verification key and signature data, calculates the specified parameters through the verification key to obtain the first data, and determines whether the first data is consistent with the signature data. If so, the verification passes and the network configuration permission is obtained. Otherwise, the verification fails, an error is reported, and the process ends.

In this embodiment, in one practicable manner, when the intelligent terminal device is turned off, the network driver deletes all the network access configuration information added to the filtering whitelist rule table through the network firewall tool;

In this embodiment, an implementable method is that when the smart terminal device is powered on and restarted, the system service obtains the saved custom IP address list by calling the CS.systemReady() method, traverses the custom IP address list, sequentially obtains the network access configuration information in the custom IP address list and executes steps 510 to 511.

The embodiment of the present invention provides a method for an application in a smart terminal device to access a network, which is applicable to a smart terminal device installed with an Android system. In this embodiment, the smart terminal device includes an application, and the application in the smart terminal device completes a specific user operation by connecting to a network. This solution sets access information according to network access configuration information during the installation or upgrade of an application, thereby realizing a function in which an application can perform secure operation processing in a specified network environment, thereby avoiding risks such as data leakage caused by network security issues.

Embodiment 3

Embodiment 3 of the present invention provides a method for an application in a smart terminal device to access a network, wherein the present embodiment is implemented by a third-party application through an interface function. The embodiment of the present invention provides a method for an application in a smart terminal device to access a network, which includes providing an interface function SDK for a third-party application to call before executing the method, and writing and updating a preset interface into an Android system of the smart terminal device. Specifically, the smart terminal device includes a system service and a network driver, and the smart terminal device also includes a POS management service (application process). Further, the system service includes a connectivity service (CS) and a network management service (NMS). Further, an ICM interface is pre-defined in the POS management service, and the ICM interface includes a first ICM interface and a second ICM interface, wherein the first ICM interface represents configuring a whitelist, and the second ICM interface represents clearing a whitelist.

As shown in FIG6 , a method for an application in a smart terminal device to access a network is provided in an embodiment of the present invention, and specifically includes:

When the POS management service is called by the third-party application through the first ICM interface, the POS management service calls the first interface of the system service and executes step 601. When the POS management service is called by the third-party application through the second ICM interface, the POS management service calls the second interface of the system service and executes step 605.

In this embodiment, the method further includes: generating an interface function SDK, the third-party application binds POSsever through AIDL, establishing a connection and initialization operation, and calling POSsever through the interface in the SDK, and passing the IP address to be configured and the application information as parameters; for example, the parameters passed in when calling the first interface are: enableWhitelist(String IP, String packageName), and the parameters passed in when calling the second interface are: disableWhitelist(String IP, String packageName);

Specifically, the first ICM interface is: enable.whitelistFromCustomer; the second ICM interface is: disable.whitelistFromCustomer.

Step 601: The POS management service calls the first interface and transmits the network access configuration information and application information transmitted by the third-party application to the system service as application configuration information;

In this embodiment, the application information is specifically an application package name, such as String packageName;

Step 602: The system service determines that the application network setting type is the first type according to the called interface type, and executes step 603;

In one practicable manner, the system service includes a network connection service and a network management service, and step 601 specifically includes: the POS management service calls the first interface, and transmits the network access configuration information and application information transmitted by the third-party application as application configuration information to the network connection service;

Specifically, step 602 is specifically: the network connection service determines that the application network setting type is the first type according to the called interface type;

The first default interface is CS.addWhitelis.

Step 603: The system service determines whether the application has user firewall permission information according to the application information. If yes, the system service obtains the custom IP address list, saves the network access configuration information in the application configuration information to the custom IP address list, and passes the network access configuration information as a parameter to the network driver, and executes step 604. If no, the system service ends.

In one practicable manner, the system service determines whether the application has user firewall permission information according to the application information: the system service determines whether the application has corresponding user firewall permission information according to the application package name in the application information;

Specifically, step 603 is as follows: the network connection service determines whether the application has user firewall permission information according to the application information, and if so, obtains a custom IP address list, saves the network access configuration information in the application configuration information to the custom IP address list, calls a first preset method to pass the network access configuration information as a parameter to the network management service, and the network management service calls a second preset method to pass the network access configuration information as a parameter to the network driver;

Specifically, the first preset method is NMS.enableWhitelist, and the second preset method is INetd.enableWhitelist.

Step 604: The network driver configures the incoming network access configuration information into the filtering whitelist rule table through the configuration instruction, and ends;

In one practicable manner, step 604 is specifically as follows: the network driver sends a configuration instruction to the network firewall tool, and after receiving the configuration instruction, the network firewall tool configures the incoming network access configuration information into a filtering whitelist rule table;

Specifically, the network driver includes a Netd local service and a firewall controller. Further, the network management service calls the second preset method to pass the network access configuration information as a parameter to the network driver. Specifically, the network management service calls the second preset method to pass the network access configuration information as a parameter to the Netd local service.

Further, step 604 is specifically as follows: the Netd local service passes the network access configuration information as a parameter to the firewall controller by calling the third preset method, the firewall controller sends a configuration instruction to the network firewall tool, and the network firewall tool configures the passed-in network access configuration information into the filtering whitelist rule table after receiving the configuration instruction;

Specifically, the Netd local service is NetdNativeService (NNS for short), the third preset method is FC.enableWhitelist; the firewall controller is Firewall Controller (FC for short); and the configuration instruction is specifically to add the incoming network access configuration information to the filtering whitelist rule table.

Step 605: The POS management service calls the second interface and transmits the application information transmitted by the third-party application to the system service as application configuration information;

In one practicable manner, step 605 is specifically as follows: the POS management service obtains the application package name, organizes the application package name to obtain application configuration information, and calls the second preset interface of the system service to pass the application configuration information as a parameter to the system service;

Optionally, step 605 is specifically as follows: the POS management service obtains the application package name and network access configuration information, organizes the application package name and network access configuration information to obtain application configuration information, and calls the second interface of the system service to pass the application configuration information as a parameter to the system service.

Step 606: The system service determines that the application network setting type is the second type according to the called interface type, and executes step 607;

In one practicable manner, the system service includes a network connection service and a network management service, and step 605 is specifically as follows: the POS management service calls the second interface to pass the application information passed in by the third-party application as application configuration information to the network connection service;

Specifically, step 606 is as follows: the network connection service determines that the application network setting type is the second type according to the called interface type;

The second preset interface is CS.RemoveWhitelis.

Step 607: The system service determines whether the application has user firewall permission information based on the application information. If yes, execute step 608; otherwise, end;

In one practicable manner, the system service determines whether the application has user firewall permission information according to the application information: the system service determines whether the application has corresponding user firewall permission information according to the application package name in the application information;

Specifically, step 607 is as follows: the network connection service determines whether the application has user firewall permission information based on the application information, and if so, executes step 608, otherwise ends.

Step 608: The system service obtains a custom IP address list and determines whether there is network access configuration information in the custom IP address list. If yes, execute step 609; otherwise, terminate.

In one practicable manner, determining whether there is network access configuration information in the custom IP address list is as follows: the system service determines whether there is network access configuration information that has been configured by the application in the custom IP address list, and if so, executes step 609, otherwise ends;

Specifically, step 608 is as follows: the network connection service obtains a custom IP address list, and determines whether there is an IP address in the custom IP address list. If yes, step 609 is executed, otherwise, the process ends.

Step 609: The system service deletes the network access configuration information in the custom IP address list, and passes the network access configuration information as a parameter to the network driver, and then executes step 610;

Specifically, step 609 is as follows: the network connection service deletes the network access configuration information in the custom IP address list, calls the fourth preset method to pass the network access configuration information as a parameter to the network management service, and the network management service calls the fifth preset method to pass the network access configuration information as a parameter to the network driver;

Step 610: The network driver deletes the network access configuration information from the filtering whitelist rule table through a delete instruction, and the process ends.

In this embodiment, in an implementable manner, step 610 is specifically as follows: the network driver sends a deletion instruction to the network firewall tool, and the network firewall tool deletes the incoming network access configuration information from the filtering whitelist rule table after receiving the deletion instruction;

Specifically, the network driver includes a Netd local service and a firewall controller, and the network management service calls the fifth preset method to pass the network access configuration information as a parameter to the network driver. Specifically: the network management service calls the fifth preset method to pass the network access configuration information as a parameter to the Netd local service;

Further, step 610 is specifically as follows: the Netd local service passes the network access configuration information as a parameter to the firewall controller by calling the sixth preset method; the firewall controller sends a delete instruction to the network firewall tool, and the network firewall tool deletes the passed network access configuration information from the filtering whitelist rule table after receiving the delete instruction;

Specifically, the Netd local service is NetdNativeService; the sixth preset method is FC.disableWhitelist; and the firewall controller is Firewall Controller.

In one practicable manner, the network firewall tool executes the deletion command using the Linux network driver technology, specifically: executing the Linux iptables command can delete the network access configuration information from the filtering whitelist rule table;

For example, the firewall controller sends iptables -D OUTPUT -s 192.168.8.102 -j ACCEPT to delete the IP address access rights in the filtering whitelist rule table, where -D means delete.

In one practicable manner, the execution instruction sent by the network driver includes user firewall permission information, for example, the execution instruction is: iptables -I OUTPUT -s 192.168.8.102 -uid-owner=1098 -j ACCEPT.

In an implementable manner, the application configuration information also includes verification data, the verification data includes specified parameters, verification key and signature data, and when the system service determines that there is user firewall permission information based on the application configuration information, it also includes: the system service obtains the verification data in the application configuration information to perform code verification, and if the verification passes, the network configuration permission is obtained, and if the verification fails, an error is reported and the process ends.

Specifically, the system service obtains the verification data in the application configuration information to perform code verification as follows: the system service obtains the specified parameters, verification key and signature data, calculates the specified parameters through the verification key to obtain the first data, and determines whether the first data is consistent with the signature data. If so, the verification passes and the network configuration permission is obtained. Otherwise, the verification fails, an error is reported, and the process ends.

A method for network access by an application in a smart terminal device provided by an embodiment of the present invention is applicable to a smart terminal device installed with an Android system. In this embodiment, the smart terminal device includes a third-party application. The third-party application in the smart terminal device calls a POS management service in the smart terminal device through an interface function SDK to complete the setting operation of the application accessing the network. The network access setting information specified by the application is set according to the determined application network setting type through system services and network drivers, thereby solving the problem in the prior art that the application cannot set secure network access due to lack of permission, realizing the function that the application can perform secure operation processing in a specified network environment, and avoiding the risks of data leakage caused by network security problems.

Embodiment 4

Embodiment 4 of the present invention provides a method for an application in a smart terminal device to access the network based on Embodiment 1. In the prior art, when an Android application uses WebView or Chrome browser to type a domain name to access the Internet, or the application directly uses http to request a domain name to obtain a response from the server, the Android system will perform the following steps:

1. The Android system will use DNS to resolve this domain name.

2.TCP establishes a connection,

3. The client sends an http request.

4. The server processes the http request and returns the http data packet.

5. The browser parses the http data packet, returns the result to the application, renders and refreshes the page.

In order to adapt to the solution of the present invention, as shown in FIG. 7 , a fourth embodiment of the present invention provides a method for an application in a smart terminal device to access a network, the method comprising:

Step 701: The application initiates a network connection request;

Specifically, the application uses WebView or Chrome browser to type in a domain name to access the Internet, or directly initiates an http request. The application can be any application in the smart terminal device.

Step 702: When the system service receives a network connection request, it monitors the network response data packet through the network driver;

Step 703: When the network driver monitors the network response data packet, it obtains the IP addresses of the receiver and the responder in the network response data packet;

Step 704: The network driver determines whether there is network access configuration information in the filtering whitelist rule table. If yes, execute step 705; otherwise, return a network response data packet to the system service and execute step 706;

Step 705, the network driver determines whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table. If so, the network response data packet is returned to the system service and step 706 is executed. Otherwise, the network response data packet is discarded, an error is returned to the system service, and step 707 is executed.

Step 706: The system service returns a network response data packet to the application;

Step 707: The system service returns an error to the application.

Specifically, the network driver monitors the network response data packets through the network firewall tool. The main function of the network firewall tool Android iptables is to control the entry and exit of network data packets and forwarding. When the data packets need to enter the device or transfer out of the device, they are forwarded and routed by the network driver; the iptables network firewall tool maintains a filtering whitelist rule table, and determines whether the IP address of the recipient in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table according to the filtering whitelist rule table;

For example, an IP address 192.168.1.131 is configured in the filtering whitelist rule table through a network firewall tool; the network firewall tool monitors the network response data packet, obtains the IP address of the responder in the network response data packet, and determines whether the IP address of the responder exists in the filtering whitelist rule table. If it exists, it responds, otherwise it discards the data packet;

In an implementable manner, step 102 of the first embodiment further includes: the system service sets firewall permission group information corresponding to the application according to the user firewall information in the application configuration information;

Specifically, in this embodiment, monitoring the network response data packet through the network driver specifically includes: the system service monitors the network response data packet corresponding to the application set with the firewall permission group information through the network driver.

Specifically, in one implementable manner, if the application does not receive a response within a preset time period, an error message is displayed and the application ends.

The present invention provides a method for an application in an intelligent terminal device to access the network. The solution sets the network access setting information specified by the application according to a determined application network setting type through system services and network drivers, thereby solving the problem in the prior art that the application cannot set up secure network access due to lack of permission, and realizes the function that the application can access securely and operate securely in a specified network environment, thereby avoiding the risk of data leakage caused by network security issues.

The following are embodiments of the apparatus of the present invention, which can be used to implement the embodiments of the method of the present invention. For details not disclosed in the embodiments of the apparatus of the present invention, reference can be made to the embodiments of the method of the present invention.

An exemplary embodiment of the present invention provides a device for an application in an intelligent terminal device to access a network, the device comprising a system service and a network driver.

Among them, system services include:

A first determination module, configured to determine the application network setting type according to the called interface type, and trigger a first acquisition judgment module if the application network setting type is the first type;

The first acquisition and judgment module is used to obtain the application configuration information passed in through the called interface, and judge whether there is user firewall permission information according to the application configuration information;

An acquisition and saving module, used for acquiring a custom IP address list when the first acquisition and judgment module determines that there is user firewall permission information, saving the network access configuration information in the application configuration information to the custom IP address list, and passing the network access configuration information as a parameter to the network driver;

Wherein, the network driver includes: a configuration module, which is used to configure the network access configuration information into the filtering whitelist rule table through configuration instructions;

In this device, the system services also include:

A receiving module is used to receive a network connection request initiated by any application in the intelligent terminal device, and when receiving the request, monitors the network response data packet through the network driver, and is also used to receive the network response data packet sent by the network driver;

The sending module is used to return network response data packets to the application and also to return errors to the application;

In the device, the network driver also includes:

The first judgment module is used to monitor the network response data packet, and when the network response data packet is monitored, it is determined whether the IP address exists in the filtering whitelist rule table, and if so, the second judgment module is triggered, otherwise the network response data packet is returned to the system service;

The second judgment module is used to judge whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table. If so, the network response data packet is returned to the system service; otherwise, the network response data packet is discarded and an error is returned to the system service.

Optionally, the system service further includes a second acquisition judgment module and an acquisition deletion module;

The first determination module is further configured to trigger the second acquisition judgment module if the application network setting type is the second type;

The second acquisition and judgment module is used to obtain the application configuration information passed in through the called interface, and judge whether there is user firewall permission information according to the application configuration information;

An acquisition and deletion module, used for acquiring a custom IP address list, deleting the network access configuration information in the custom IP address list, and passing the network access configuration information as a parameter to the network driver when the second acquisition and judgment module determines that the user firewall authority information exists;

The network driver also includes a deletion module, which is used to delete the network access configuration information from the filtering whitelist rule table through a deletion instruction.

Further optionally, the first determining module is specifically configured to determine that the application network setting type is the first type when the first preset interface is called, and to determine that the application network setting type is the second type when the second preset interface is called.

Optionally, the system service includes a package management service, and the package management service includes an acquisition unit, a determination unit, and a calling unit;

The acquisition unit is used to acquire the APK file of the application to be installed, call the API interface to parse the manifest file in the APK file of the application to be installed, and acquire the configuration startup item information;

The determination unit is used to determine the network access configuration type according to the configuration startup item information;

The calling unit is used to call the interface according to the network access configuration type.

Furthermore, the calling unit is specifically used to obtain the user firewall permission information and network access configuration information in the manifest file, organize the network access configuration information and the user firewall permission information to obtain the application configuration information, and the calling interface passes the application configuration information as a parameter.

Furthermore, the device includes a generation module for generating an APK file of an application to be installed;

The generation module is specifically used to determine the network access configuration type, and write the configuration startup item information, network access configuration information and user firewall permission information corresponding to the network access configuration type into the manifest file according to a predetermined format to obtain the application APK file to be installed.

Optionally, the system service further includes a deletion judgment module, which specifically includes a first judgment unit, a first acquisition judgment unit and a processing unit;

A first judging unit, used for judging whether there is network access configuration information in the custom IP address list, and if so, triggering the first acquiring unit, otherwise triggering the acquiring and saving module;

A first acquisition and judgment unit is used to acquire the network access configuration information in the application configuration information, and judge whether the network access configuration information in the custom IP address list is the same as the network access configuration information in the application configuration information, and if so, the process ends, otherwise, the processing unit is triggered;

The processing unit is used to delete the network access configuration information in the custom IP address list from the custom IP address list, pass the network access configuration information in the custom IP address list as a parameter to the network driver, save the network access configuration information in the application configuration information to the custom IP address list, and trigger the deletion module.

Optionally, the device further includes a POS management service; the POS management service includes a second determination module and a calling module;

The second determination module is used to determine the interface type for calling the system service according to the interface type called by the third-party application, and call the interface according to the determined interface type;

The calling module is used to call the interface of system services.

Furthermore, the calling module is specifically used to obtain the application package name, organize the network access configuration information and the application package name to obtain the application configuration information, and call the interface of the system service to pass the application configuration information as a parameter.

Furthermore, the first acquisition and determination module or the second acquisition and determination module is specifically used to determine whether there is user firewall permission information according to the application package name in the application configuration information.

Optionally, the system service also includes a signature verification module, which is used to obtain the signature verification data in the application configuration information to perform code signature verification. If the signature verification passes, the network configuration permission is obtained, triggering the acquisition and saving module, and the process ends if the signature verification fails.

Optionally, the deletion module is specifically used to delete all network access configuration information in the filtering whitelist rule table through a deletion instruction when the intelligent terminal device is turned off.

Optionally, the system service also includes a reconfiguration module, which is used to obtain the saved custom IP address list, traverse the custom IP address list, sequentially obtain the network access configuration information in the custom IP address list and pass the network access configuration information as a parameter to the network driver when the smart terminal device is turned on and restarted.

Optionally, the system service further includes a setting module, which is used to set firewall permission group information corresponding to the application according to the user firewall information in the application configuration information when the first acquisition judgment module or the second acquisition judgment module determines that there is user firewall permission information according to the application configuration information;

Optionally, the receiving module specifically includes a monitoring unit, and the monitoring unit is used to monitor the network response data packet;

The monitoring unit is specifically used to monitor the network response data packet corresponding to the application set with the firewall permission group information.

It should be noted that the apparatus for accessing a network by an application in a smart terminal device provided in the above embodiment only uses the division of the above functional modules as an example when executing the method for accessing a network by an application in a smart terminal device. In actual applications, the above functions can be allocated and completed by different functional modules as needed, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the apparatus for accessing a network by an application in a smart terminal device provided in the above embodiment and the method for accessing a network by an application in a smart terminal device belong to the same concept, and the implementation process thereof is detailed in the method embodiment, which will not be repeated here.

The serial numbers of the above embodiments of the present invention are only for description and do not represent the advantages or disadvantages of the embodiments.

The present invention provides a method and device for network access by applications in an intelligent terminal device, which sets the network access setting information specified by the application according to a determined application network setting type through system services and network drivers, thereby solving the problem in the prior art that secure network access cannot be set due to the application having no authority, and realizing the function that the application can securely access and operate securely in a specified network environment, thereby avoiding the risks of data leakage caused by network security issues.

An embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program stored in the memory, wherein the processor executes the computer program to implement the method for network access by an application in an intelligent terminal device disclosed in any of the aforementioned embodiments.

The embodiment of the present invention also provides a computer-readable storage medium, on which a computer program/instruction is stored, and when the program/instruction is executed by a processor, the method for network access by an application in an intelligent terminal device disclosed in any of the above embodiments is implemented. The computer-readable storage medium may include, but is not limited to, any type of disk, including a floppy disk, an optical disk, a DVD, a CD-ROM, a micro drive, and a magneto-optical disk, a ROM, a RAM, an EPROM, an EEPROM, a DRAM, a VRAM, a flash memory device, a magnetic card or an optical card, a nanosystem (including a molecular memory IC), or any type of medium or device suitable for storing instructions and/or data.

An embodiment of the present invention provides a computer program product, including a computer program/instruction, wherein the computer program/instruction, when executed by a processor, implements the method for network access by an application in an intelligent terminal device disclosed in any of the aforementioned embodiments.

In the present invention, the terms "first", "second", etc. are only used for descriptive purposes and cannot be understood as indicating or implying relative importance or order; the term "plurality" refers to two or more, unless otherwise clearly defined. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can represent: the existence of A alone, the existence of A and B at the same time, and the existence of B alone. The character "/" generally indicates that the objects associated with each other are in an "or" relationship. Terms such as "install", "connect", "connect", and "fix" should be understood in a broad sense. For example, "connection" can be a fixed connection, a detachable connection, or an integral connection; "connection" can be a direct connection or an indirect connection through an intermediate medium. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood according to specific circumstances.

In the description of the present invention, it is necessary to understand that the directions or positional relationships indicated by the terms "upper" and "lower" etc. are based on the directions or positional relationships shown in the accompanying drawings, and are only for the convenience of describing the present invention and simplifying the description, rather than indicating or implying that the device or unit referred to must have a specific direction, be constructed and operated in a specific orientation. Therefore, it cannot be understood as a limitation on the present invention.

The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention, which should be included in the protection scope of the present invention. Therefore, equivalent changes made according to the claims of the present invention are still within the scope covered by the present invention.

Claims (16)

1. A method for an application in an intelligent terminal device to access a network, wherein the intelligent terminal device includes a system service and a network driver, wherein the method comprises: Step S1, the system service determines the application network setting type according to the called interface type, and if the application network setting type is the first type, executes step S2; Step S2, the system service obtains the application configuration information passed in through the called first preset interface, and determines whether there is user firewall authority information according to the application configuration information, and if yes, executes step S3, otherwise ends; Step S3, the system service obtains a custom IP address list, saves the network access configuration information in the application configuration information into the custom IP address list, and passes the network access configuration information into the network driver as a parameter; Step S4, the network driver configures the network access configuration information into the filtering whitelist rule table through a configuration instruction, and ends; The method further comprises: Step F1: When the system service receives a network connection request initiated by an application in the intelligent terminal device, the system service monitors a network response data packet through the network driver; Step F2, when the network driver monitors the network response data packet, the network driver determines whether there is network access configuration information in the filtering whitelist rule table, if yes, executes step F3, otherwise returns the network response data packet to the system service, and executes step F4; Step F3, the network driver determines whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table, if so, returns the network response data packet to the system service, and executes step F4, otherwise discards the network response data packet, returns an error to the system service, and executes step F5; Step F4, the system service returns the network response data packet to the application; Step F5: the system service returns an error to the application; In the step S3, before the network access configuration information in the application configuration information is saved in the custom IP address list, the step further includes: Step M21, the system service determines whether there is network access configuration information in the custom IP address list, and if so, executes step M22, otherwise, saves the network access configuration information in the application configuration information into the custom IP address list; Step M22, the system service obtains the network access configuration information in the application configuration information, and determines whether the network access configuration information in the custom IP address list is the same as the network access configuration information in the application configuration information, if so, the process ends, otherwise, the process goes to step M23; Step M23, the system service deletes the network access configuration information in the custom IP address list from the custom IP address list, passes the network access configuration information in the custom IP address list as a parameter to the network driver, and executes step M24 to save the network access configuration information in the application configuration information to the custom IP address list; Step M24, the network driver deletes the network access configuration information in the custom IP address list from the filtering whitelist rule table through a deletion instruction; In the step S2, when it is determined that there is user firewall permission information according to the application configuration information, the step further includes: the system service sets firewall permission group information corresponding to the application according to the user firewall information in the application configuration information; The system service monitoring the network response data packet through the network driver specifically includes: the system service monitoring the network response data packet corresponding to the application set with the firewall permission group information through the network driver. 2. The method according to claim 1, characterized in that the method further comprises the following steps when the system service determines that the application network setting type is the second type according to the called interface type: Step S5, the system service obtains the application configuration information transmitted through the called second preset interface, and determines whether there is user firewall authority information according to the application configuration information, and if yes, executes step S6, otherwise ends; Step S6, the system service obtains a custom IP address list, determines whether there is network access configuration information in the custom IP address list, deletes the network access configuration information in the custom IP address list, passes the network access configuration information as a parameter to the network driver, and executes step S7, otherwise ends; Step S7: The network driver deletes the network access configuration information from the filtering whitelist rule table through a deletion instruction, and the process ends. 3. The method according to claim 2 is characterized in that the system service determines the application network setting type according to the type of the called interface: when the first preset interface of the system service is called, the system service determines the application network setting type as the first type; when the second preset interface of the system service is called, the system service determines the application network setting type as the second type. 4. The method according to claim 1, wherein the system service includes a package management service, and before step S1, the method further includes: Step P1, the package management service obtains the APK file of the application to be installed; Step P2: The package management service calls an API interface to parse the manifest file in the APK file to be installed, and obtains configuration startup item information; Step P3: The package management service determines the network access configuration type according to the configuration startup item information, and calls the interface of the system service according to the network access configuration type. 5. The method according to claim 4 is characterized in that, in the step P3, the interface for calling the system service is specifically: the package management service obtains the user firewall permission information and network access configuration information in the inventory file, organizes the network access configuration information and the user firewall permission information to obtain application configuration information, and calls the interface of the system service to pass in the application configuration information as a parameter. 6. The method according to claim 4, characterized in that the method further comprises generating an APK file of the application to be installed; The specific steps of generating the APK file to be installed are as follows: Step D1, determining the network access configuration type; Step D2: Write the configuration startup item information, network access configuration information and user firewall permission information corresponding to the network access configuration type into the manifest file according to a predetermined format to obtain the APK file to be installed for the application. 7. The method according to claim 2, characterized in that the intelligent terminal device also includes a POS management service; The step before step S1 also includes: the POS management service determines the interface type for calling the system service according to the interface type called by the third-party application, and calls the interface of the system service according to the determined interface type. 8. The method according to claim 7 is characterized in that the interface of calling the system service according to the determined interface type is specifically: the POS management service obtains the application package name, organizes the network access configuration information and the application package name to obtain application configuration information, and calls the interface of the system service to pass in the application configuration information as a parameter. 9. The method according to claim 8, characterized in that the step of judging whether there is user firewall authority information according to the application configuration information is specifically: The system service determines whether there is user firewall permission information according to the application package name in the application configuration information. 10. The method according to claim 1, characterized in that when the user firewall authority information is determined to exist according to the application configuration information, it also includes: The system service obtains the verification data in the application configuration information to perform code verification. If the verification is successful, the network configuration authority is obtained and step S3 is executed. If the verification fails, the process ends. 11. The method according to claim 1 is characterized in that when the intelligent terminal device is turned off, the method further comprises: the network driver deletes all the network access configuration information in the filtering whitelist rule table through a deletion instruction. 12. The method according to claim 1 is characterized in that when the smart terminal device is turned on and restarted, the method also includes: the system service obtains a saved custom IP address list, traverses the custom IP address list, sequentially obtains network access configuration information in the custom IP address list and passes the network access configuration information as a parameter into the network driver, and executes step S4. 13. A device for performing network access by an application in a smart terminal device, characterized in that the device is implemented by using the method for performing network access by an application in a smart terminal device according to any one of claims 1 to 12, the device comprises a system service and a network driver, and the system service comprises: A first determination module, configured to determine the application network setting type according to the called interface type, and trigger a first acquisition judgment module if the application network setting type is the first type; The first acquisition and judgment module is used to obtain application configuration information passed in through the called interface, and judge whether there is user firewall permission information according to the application configuration information; an acquisition and saving module, configured to acquire a custom IP address list when the first acquisition and judgment module determines that there is user firewall permission information, save the network access configuration information in the application configuration information into the custom IP address list, and pass the network access configuration information as a parameter into the network driver; The network driver includes: a configuration module, configured to configure the network access configuration information into a filtering whitelist rule table through configuration instructions; The system services also include: A receiving module, used to receive a network connection request initiated by an application in the intelligent terminal device, and upon receiving the request, monitor a network response data packet through the network driver, and also used to receive a network response data packet sent by the network driver; a sending module, used to return the network response data packet to the application, and also used to return an error to the application; The network driver also includes: A first judgment module is used to monitor the network response data packet, and when the network response data packet is monitored, it is determined whether there is network access configuration information in the filtering whitelist rule table, and if yes, the second judgment module is triggered, otherwise, the network response data packet is returned to the system service; The second judgment module is used to judge whether the IP address of the responder in the network response data packet is the same as the network access configuration information in the filtering whitelist rule table. If so, the network response data packet is returned to the system service; otherwise, the network response data packet is discarded and an error is returned to the system service. 14. A computer device comprising a memory, a processor and a computer program stored in the memory, wherein the processor executes the computer program to implement the method according to any one of claims 1 to 12. 15. A computer-readable storage medium having a computer program/instruction stored thereon, wherein the computer program/instruction implements the method according to any one of claims 1 to 12 when executed by a processor. 16. A computer program product, comprising a computer program/instruction, wherein the computer program/instruction implements the method according to any one of claims 1 to 12 when executed by a processor.