Search

CN-115361430-B - Method and system for realizing cooperation between applications in resource-constrained device

CN115361430BCN 115361430 BCN115361430 BCN 115361430BCN-115361430-B

Abstract

A method for realizing cooperation between applications in resource limited device includes initiating service request by client application and providing service application identification and appointed service identification to service access module, calling up registered service interface of service application by service access module to obtain registered service interface for authenticating client application, registering service requested by client application by service management module after authentication is passed, obtaining service interface by client application by service interface method of service application by service access module and using service, creating shadow array object by service access module by client application to realize data exchange between applications. The invention can effectively avoid the fake client application and prevent unauthorized use of service application resources, and can support the later installation of the client application to access the service application even if the service application is deployed because the service application does not rely on the client application identification to authenticate the client.

Inventors

  • SHI YUPING
  • XU JUNJIANG
  • ZHENG JIANGDONG
  • WANG YOUJUN

Assignees

  • 北京握奇数据股份有限公司

Dates

Publication Date
20260512
Application Date
20220701

Claims (10)

  1. 1. A system for implementing inter-application collaboration in a resource constrained device, the system comprising a service application, a service management module, a service access module, a runtime environment, and a client application, wherein: The service application provides a plurality of services for the client application, each service comprises a service identifier, a service interface and a registration service interface for authenticating the client before using the service, the service interface and the registration service interface are marked as output interfaces through an annotation mechanism provided by a high-level programming language, an object for realizing the output interfaces is called an output interface object, and a compiler/converter generates an output mark for the output interfaces and classes of the output interface objects in the interface definition of executable files; the service management module is used for managing the service and the registration service output by the service application, and the management function comprises the steps of installing the service, managing the request service of the client application, acquiring the registration service interface and the service interface of the designated service identifier, and inquiring whether the designated service is authorized to be used; The running environment comprises a virtual machine, an output interface method, a service application and a control module, wherein the virtual machine is used for executing the client application and the service application, the client application and the service application are protected by a firewall mechanism realized by the running environment when being executed, the firewall mechanism ensures that the client application cannot access an object owned by the service application, and the service application cannot access the object owned by the client application; The service access module is implemented by the running environment and is used for replacing a method for requesting the output interface of the service application by the client application, and the client application uses the output service of the service application through the service access module.
  2. 2. The system for implementing inter-application collaboration in a resource constrained device of claim 1, wherein the manner in which the registration service authenticates the client is determined and implemented by the service application, the service application and the client application sharing a secret data in advance when employing a challenge/response authentication mechanism.
  3. 3. The system for implementing inter-application collaboration in a resource constrained device of claim 2, wherein the service management module is implemented in a service application superclass, a specific service application inherits the service application superclass.
  4. 4. The system for implementing inter-application collaboration in a resource constrained device of claim 1, wherein the runtime environment implements the service access module by way of an application programming interface.
  5. 5. The system for implementing inter-application collaboration in a resource constrained device of claim 1, wherein the service access module further provides a shadow array object function for creating an array object for implementing data sharing between the client application and the service application, the shadow array object and the source array object having the same member type, the storage locations of the members being the same, the shadow array object being owned by the service application specified at the time of creation.
  6. 6. A method of implementing inter-application collaboration in a resource constrained device using the system of any of claims 1-5, comprising the steps of: s1, a client application initiates a service request, and an identifier of the client application and a service identifier of a requested service are provided for a service access module; S2, the service access module inquires a service application according to a service identifier of a client request service, invokes a registration service interface method provided by the service application to obtain a registration service interface corresponding to the service application, wherein the registration service interface method provided by the service application comprises the identifier of the client application, and the client application completes authentication of the service application to the client application through the registration service; S3, after the authentication of the client application is passed, the service application registers the service requested by the client application through the service management module; s4, the client application calls a service interface method provided by the service application through the service access module to acquire a service interface corresponding to the service application, so that the requested service is used.
  7. 7. The method for implementing inter-application collaboration in a resource-constrained device according to claim 6, wherein when the service access module in step S2 is implemented by an application programming interface, the authentication procedure of the client application is specifically: the application programming interface requests a registration service interface object corresponding to the service application according to the identification of the client application and the service identification of the service request; the service application returns an output interface object for realizing registration service in a general registration service interface mode; The client application performs type conversion on the universal registration service interface, and the client application calls a corresponding registration service interface method; The client application can finish the authentication of the service application to the client application by calling the registration service interface method and checking through the firewall of the virtual machine.
  8. 8. The method for implementing inter-application collaboration in a resource-constrained device according to claim 7, wherein step S3 is specifically: The service management module registers the service requested by the client application using the identification of the client application and the service identification of the requested service, and stores the authorization status in the RAM area.
  9. 9. The method for implementing inter-application collaboration in a resource-constrained device according to claim 8, wherein the process of using services by the client application in step S4 is specifically: The application programming interface requests a service interface object corresponding to the service application according to the identification of the client application and the service identification of the service request; the service management module inquires whether the appointed service is authorized to be used according to the identification of the client application and the service identification of the request service; if authorized, the service application returns an output interface object for realizing the service in a general service interface mode; The client application performs type conversion on the universal service interface, and the client application calls a corresponding service interface method; The client application invoking the service interface method may pass through a firewall check of the virtual machine, and the client application uses the requested service.
  10. 10. The method for implementing collaboration between applications in a resource-constrained device according to any of claims 7-9, wherein the client application invokes the service access module to create a shadow array object of the array object as needed to implement data exchange between the client application and the service application, the specific steps comprising: The client application calls an application programming interface to create a shadow array object of a source array object owned by the client application for a specified service application, wherein the shadow array object is owned by the service application; When the client application calls an output interface method, the shadow array object is used as a parameter to be transmitted to the service application; The service application accesses the shadow array object through the shadow array object parameters, reads input data of the client application or writes data into the shadow array object, and realizes the function of returning the data to the client application; And when the output interface method returns, the client application acquires the data returned by the service application by reading the source array of the shadow array object.

Description

Method and system for realizing cooperation between applications in resource-constrained device Technical Field The invention belongs to the technical field of computer security, in particular to a method and a system for realizing inter-application cooperation in a resource-limited device, which are used for realizing inter-application secure communication on the resource-limited device such as a smart card, a secure element and the like. Background In order to support collaboration among application programs, the conventional technology provides operation environment privileges, operation environment entry point objects, a global array and a shared interface object mechanism, wherein the former three mechanisms are used for interaction between operation environment and application programs, and the shared interface object mechanism aims at providing collaboration among application programs. Conventional techniques define a markup interface called Shareable, and any interface that extends Shareable will be considered a shared interface, and firewall mechanisms allow services to be requested from objects that implement the shared interface. The prior shared interface object mechanism has some security defects and disadvantages, such as counterfeit client application and unauthorized use of resources, and can not support the later installed client application to access the service application after the service application is deployed without upgrading the service application because the service application relies on the client Application Identification (AID) to authenticate the client. Disclosure of Invention In order to solve the defects existing in the prior art, the invention aims to provide a method and a system for realizing inter-application cooperation in a resource-constrained device, by the method and the system, fake client applications can be effectively avoided, unauthorized use of resources of service applications is prevented, and the client applications are supported to access the service applications without upgrading the service applications. In order to achieve the above purpose, the invention adopts a technical scheme that: a system for implementing inter-application collaboration in a resource-constrained device, comprising a service application, a service management module, a service access module, an operating environment, and a client application, wherein: The service application provides a plurality of services for the client application, each service comprises a service identifier, a service interface and a registration service interface for authenticating the client before using the service, the service interface and the registration service interface are marked as output interfaces through an annotation mechanism provided by a high-level programming language, an object for realizing the output interfaces is called an output interface object, and a compiler/converter generates an output mark for the output interfaces and classes of the output interface objects in the interface definition of executable files; the service management module is used for managing the service and the registration service output by the service application, and the management function comprises the steps of installing the service, managing the request service of the client application, acquiring the registration service interface and the service interface of the designated service identifier, and inquiring whether the designated service is authorized to be used; The running environment comprises a virtual machine, an output interface method, a service application and a control module, wherein the virtual machine is used for executing the client application and the service application, the client application and the service application are protected by a firewall mechanism realized by the running environment when being executed, the firewall mechanism ensures that the client application cannot access an object owned by the service application, and the service application cannot access the object owned by the client application; The service access module is implemented by the running environment and is used for replacing a method for requesting the output interface of the service application by the client application, and the client application uses the output service of the service application through the service access module. Further, the system for realizing inter-application collaboration in the resource-constrained device as described above, the service application determines and realizes the manner in which the registration service authenticates the client, and when the challenge/response authentication mechanism is adopted, the service application and the client application share in advance a secret data. Further, in the system for implementing inter-application collaboration in a resource-constrained device as described above, the service management module is implemented in a service application sup