METHOD OF GENERATING, FROM AN INITIAL PACKAGE FILE COMPRISING AN APPLICATION TO BE SECURED AND AN INITIAL CONFIGURATION FILE, A PACKAGE FILE FOR SECURING THE APPLICATION, AND ASSOCIATED COMPUTER PROGRAM PRODUCT AND COMPUTING DEVICE

- THALES

A method for generating one package file, from an initial package file including an application to be secured and an initial configuration file, is implemented by a computer. In one aspect, the method includes extracting, from the initial package file, the application and the initial configuration file and creating a first configuration file from the initial configuration file. The method also includes creating an application for dynamically creating an execution environment for the application to be secured, configured to implement the loading of a security library, substitute, from a function call associated with the application to be secured, of one call to an unsecured function with a call to a function of the security library, and launch the application to be secured after the substitution. The method further includes encapsulating the first configuration file and the application to be secured in a first package file.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation and claims benefit under 35 U.S.C. §§120 and 365 of PCT Application No. PCT/EP2012/069876, entitled “METHOD FOR GENERATING, FROM AN INITIAL PACKAGE FILE COMPRISING AN APPLICATION TO BE SECURED AND AN INITIAL CONFIGURATION FILE, A PACKAGE FILE FOR SECURING THE APPLICATION, AND ASSOCIATED COMPUTER PROGRAM PRODUCT AND COMPUTING DEVICE,” filed Oct. 8, 2012, which is herein incorporated by reference in its entirety and which claims priority to French Application No. 11 03046, entitled “METHOD FOR THE DYNAMIC CREATION OF AN APPLICATION EXECUTION ENVIRONMENT FOR SECURING SAID APPLICATION, AND ASSOCIATED COMPUTER PROGRAM PRODUCT AND COMPUTING DEVICE,” filed on Oct. 6, 2011, which is incorporated herein by reference in its entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method for generating, from an initial package file comprising an application to be secured and an initial configuration file, at least one package file for securing the application, the generating method being implemented by a computing device comprising an information processing unit and a memory.

2. Description of the Related Technology

Embodiments also relate to a computer program product including software instructions which, when implemented by an information processing unit integrated into a computing device, implement such a method for generating package files.

Embodiments also relate to a computing device comprising an information processing unit and a memory associated with the information processing unit.

A computing apparatus is known, such as a mobile terminal, managed by an Android platform hosting applications. The Android platform includes a Linux kernel, a set of function libraries in the C or C++ language, and a Dalvik virtual machine capable of executing applications hosted by the Android platform.

The operation of sensitive applications must be secured in order to protect the data processed by those applications and combat threats of information being recovered as a result of the loss or theft of the mobile terminal, or the interception of communications between the mobile terminal and another piece of computing equipment. One data securing solution then consists of modifying the source or binary code of each of the applications to be secured so as to cause them to call specialized libraries including appropriate security functions.

WO 2012/109196 A1 describes a method for modifying a source or binary code of each of the applications to be secured, then recompiling the modified source or binary code, so that the applications thus modified call specialized libraries including appropriate security functions.

However, such securing of the applications requires modifying the source or binary code of each of the applications, which is particularly restrictive, and is furthermore not always allowed by the provider of the application when the modification of the code is done by a third party.

SUMMARY OF THE INVENTION

One aim of the embodiments described herein is to propose a method for using an initial package file including an application to be secured and an initial configuration file to generate a package file, the generating method making it possible to secure the application during the execution of the package while limiting the modifications to the code of the operating system, the application environment or the application to be secured.

In one aspect, the method for generating package files can include the following steps, carried out by an application for generating package files, the application being stored in the memory of the computing device: extracting, from the initial package file, the application to be secured and the initial configuration file, creating a first configuration file from the initial configuration file, creating an application for dynamically creating an execution environment for the application to be secured, the application for the dynamic creation of the execution environment being suitable for implementing the loading of a security library, the substitution, from a function call or function calls associated with the application to be secured, of at least one call to an unsecured function with a call to a corresponding function of the security library, and launching the application to be secured after the substitution, and encapsulating the first configuration file and the application to be secured in a first package file, file the application for the dynamic creation of the execution environment being encapsulated in the first package file or in a second package file, the second package file including the application for the dynamic creation of the execution environment and a second configuration file.

According to other advantageous aspects, the method comprises one or more of the following features, considered alone or according to any technically possible combinations: during the step for creating the first configuration file, the first configuration file is created by modifying the initial configuration file so that the application for creating the execution environment is launched in place of the application to be secured during the execution of the corresponding package file; the first package file includes the first configuration file and the application to be secured, the second package file includes the second configuration file and the application for creating the execution environment, each application among the application to be secured and the application for creating the execution environment comprises at least one component, each configuration file containing one or more component declarations, and the method comprises the creation of the second configuration file, the second configuration file containing the same component declarations as the initial configuration file; at least one declared component in each configuration file is a content provider, and the content provider is declared in the second configuration file with a higher priority than that of the content provider declared in the first configuration file, so that the content provider of the application for creating the execution environment is launched before the content provider of the application to be secured; the first package file includes the first configuration file and the application to be secured, the second package file includes the second configuration file and the application for creating the execution environment, the initial configuration file includes activity declarations and message filters associated with the declared activities, and during the step for creating the first configuration file, the message filters for the activities declared in the initial configuration file are deleted in the first configuration file; the first package file includes the first configuration file, the application to be secured and the application for creating the execution environment, and the first package file is configured so that the application for creating the execution environment is launched before the application to be secured; the application for the dynamic creation of the execution environment, created during the creation step, is further adapted for filtering of the interactions between the application to be secured and other unsecured applications or interactions between the application to be secured and the operating system according to the predefined filtering rules in the application for the dynamic creation of the execution environment; the method further comprises the cryptographic protection, with at least one protection key, of the or each generated package file; the first package file includes the first configuration file and the application to be secured, and the second package file includes the second configuration file and the application for creating the execution environment, and during the cryptographic protection step, the cryptographic protection of the first package file and the cryptographic protection of the second package file are done with the same protection key.

An aspect also relates to a computer program product including software instructions which, when implemented by an information processing unit integrated into a computer device, implements a method as defined above.

Another aspect also relates to a computing device comprising an information processing unit and a memory that is associated with the information processing unit, in which the memory includes an application for generating, from an initial package file including an application to be secured and an initial configuration file, at least one package file for securing the application, the application for generating package file(s) including: a component for extracting the application to be secured and the initial configuration file from the initial package file, a component for creating a first configuration file from the initial configuration file, a component for creating an application for the dynamic creation of an execution environment for the application to be secured, the application for the dynamic creation of the execution environment being suitable for implementing the loading of a security library, substituting, from among one or more function call(s) associated with an application to be secured, at least one call to an unsecured function with a call to a corresponding function of the security library, and launching the application to be secured after the substitution step, and a component for encapsulating the first configuration file and the application to be secured in a first package file, the application for the dynamic creation of the execution environment being encapsulated in the first package file or in a second package file, the second package file then including the application for the dynamic creation of the execution environment and a second configuration file.

BRIEF DESCRIPTION OF THE DRAWINGS

These features and advantages of the invention will appear upon reading the following description, provided solely as an embodiment, and in reference to the appended drawings, in which:

FIG. 1 is a diagrammatic view of a computing device according to an embodiment, the computing device being capable of generating at least one package file designed to be executed by a computing apparatus, such as a mobile terminal.

FIG. 2 is a diagrammatic illustration of a memory of a computing apparatus of FIG. 1.

FIG. 3 is a flowchart of a method for generating package file(s), according to an embodiment.

FIG. 4 is a flowchart of a method for preparing an environment for executing an application to be secured.

FIG. 5 is a dynamic illustration of the preparation of the execution environment for the application to be secured and the execution of the application.

FIG. 6 is a view similar to that of FIG. 3, according to another embodiment.

 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

In FIG. 1, a computing apparatus 10, such as a mobile terminal, comprises an information processing unit 12, a first memory 14 associated with the information processing unit, and a screen 15.

In the example embodiment of FIG. 1, the computing apparatus 10 is a mobile telephone and further comprises a wireless antenna 16 and a wireless transceiver 17 that are connected to the first information processing unit.

A computing device 18 comprises a second information processing unit 19A and a second memory 19B associated with the second information processing unit 19A.

The first information processing unit 12 for example includes a data processor.

The first memory 14 includes an operating system 20 and multiple package files 21, also called non-sensitive package files, and package files 22A, 22B, also called sensitive package files, namely a first package file 22A and a second package file 22B.

Additionally, the first memory 14 includes a secondary package file 23.

The first memory 14 also includes a security library 24 for example capable of securing the data storage and/or data exchange with another computing apparatus.

The wireless transceiver 17 includes a component for transmitting and receiving wireless signals via the wireless antenna 16. The wireless transceiver 17 can operate according to the GPRS (General Packet Radio Service) communication standard or the UMTS (Universal Mobile Telecommunication System) standard.

The wireless antenna 16 and the wireless transceiver 17 are capable of allowing the establishment of a wireless link between the computing apparatus 10 and another computing apparatus including a wireless antenna and transceiver using the same communication standard.

The second information processing unit 19A for example includes a data processor.

The second memory 19B includes an application 25 for generating at least one sensitive package file 22A, 22B from an initial package file, not shown.

The operating system 20 includes a kernel 26, a set 27 of function libraries, a virtual machine 28 and an application framework 30.

Each non-sensitive package file 21 includes a non-sensitive application 31 in the form of a binary file and an associated configuration file 32, the non-sensitive application 31 not needing to be secured.

The first sensitive package file 22A includes a first configuration file 33 and an application to be secured 34 in the form of a binary file. The second sensitive package file 22B includes a second configuration file 35 and an application 36 for the dynamic creation of an execution environment for the application to be secured, the application for creating the execution environment 36 being in the form of a binary file.

Additionally, the secondary package file 23 includes an application, not shown, for authenticating the user and recovering a key for unlocking the security library. The secondary package file 23 includes a third configuration file, not shown, associated with the application for authenticating the user and recovering the unlocking key. The authentication of the user is done, for example, using a chip card included in the apparatus 10, or a near field communication card outside the apparatus, also called NFC card. The application is also capable of verifying the permissions associated with a third-party application to control access to that third party-application by the user.

The security library 24 includes a function 37A for securing the data storage, a function 37B for securing data exchanges with another computing apparatus, and a function 37C for eliminating debugging events, as shown in FIG. 2.

In the example of FIGS. 1 and 2, the security library 24 is a specific library separate from the native libraries included in the operating system 20.

Alternatively, as illustrated by the dotted lines in FIG. 2, the security library 24 is a native library included in the set of libraries 27 of the operating system delivered by the provider of the operating system.

The application for generating package files 25 includes a component 40 for extracting the application to be secured 34 and an initial configuration file, not shown, from the initial package file, and a component 42 for creating the first configuration file 33 and the second configuration file 35, each from the initial configuration file.

The application for generating package files 25 includes a component 44 for creating the application for the dynamic creation of the execution environment 36, the application for the dynamic creation of the execution environment 36 being adapted to implement the loading of the security library 24; substitute, from among one or more functions associated with the application to be secured 34, at least one call to an unsecured function with a call to a corresponding function 37A, 37B, 37C from the security library 24; and launch the application to be secured 34 after the substitution.

The application for generating package files 25 includes encapsulation component 46, on the one hand, for the first configuration file 33 and the application to be secured 34 in the first package file 22A, and on the other hand, the second configuration file 35 and the application for the dynamic creation of the execution environment 36 in the second package file 22B.

Additionally, the application for generating package files 25 includes a component 47 for cryptographic protection of the first and second package files previously generated.

As understood by one skilled in the art, the kernel 26 forms a layer of abstraction between a hardware part in particular including the first information processing unit 12, the first memory 14 and the wireless transceiver 17 on the one hand, and the rest of the operating system 20, in particular the set of libraries 27, on the other hand. The kernel 26 is suitable for managing essential services such as the security of the operating system, memory management, or process management.

The set of libraries 27 comprises an unsecure function library 48.

The virtual machine 28 is known by one skilled in the art, and is capable of running each binary file contained in the respective package files 21, 22, 23.

The application host structure 30 includes services 49A, 49B available to the application 31, 34, 36, such as an activity management service 49A, a management service 49B for the package files associated with the application.

Each application 31, 34, 36 is in the form of a binary file including a binary code, also referred to as bytecode, designed to be executed by the virtual machine 28. The execution of the application 31, 34, 36 by the virtual machine 28 is an interpretation of the bytecode of the application.

Each application 31, 34, 36 comprises one or more components A, B, #A, #B, as shown in FIG. 4, the components having different types, such as an activity, a service, a content provider, or a broadcast receiver. Each component A, B, #A, #B plays a different role in the behavior of the application, and can be activated individually, even by other applications.

In the described embodiment, the operating system 20 is the Android® application system by Google. The kernel 26 is then based on a Linux kernel, more specifically on version 2.6 of the Linux kernel. The set of libraries 27 is written in the C/C++ computer language. The virtual machine 28 is the Dalvik virtual machine. The applications 31, 34, 36 are written in the Java language and are in the form of a binary code that is executable by the Dalvik virtual machine 28.

Alternatively, other embodiment apply to any operating system of the same type as the Android® operating system. In particular, some embodiment apply to an operating system including a kernel, a virtual machine designed to run the applications, and a set of function libraries accessible by the kernel and the virtual machine.

Each configuration file 32, 33, 35 includes information for naming and indicating the version of the application, the declarations of each of the components of the application, the message filters allowing the application to identify, in a predefined manner, certain messages among those received from the operating system 20 or other applications, and potentially metadata.

In the case of Android®, each configuration file 32, 33, 35 is also called Manifest file. The component declarations are then referenced using the following expressions: <activity>, <service>, <provider> or <receiver>, depending on whether the components are of the activity, service, content provider, or broadcast receiver type. The message filters, also called message declarations, are also called Intent filters. The metadata may provide an additional description of a component.

The non-sensitive configuration file 32 is known by one skilled in the art.

The first configuration file 33 includes information for naming and indicating the version of the application to be secured 34, and contains the declarations of the components of the application to be secured 34. The first configuration file 33 is created from the initial configuration file and by modifying the initial configuration file so that the application for creating the execution environment 36 is launched in place of the application to be secured 34 during execution of the first and second package files 22A, 22B. The manner of creating the first configuration file 33 from the initial configuration file will be described in more detail hereinafter using the flowchart for the method for generating package files of FIG. 3.

The application to be secured 34 is designed to call at least one function of the unsecure function library 48 during its execution.

The second configuration file 35 includes information for naming and indicating the version of the application for creating the execution environment 36, and contains the declarations of the components of the application for creating the execution environment 36. The manner of creating the second configuration file 35 will be described in more detail below using the flowchart for the method for generating the package files of FIG. 3.

The application for the dynamic creation of the environment 36 includes a component 50 for loading the security library, a component 52 for substituting, among the function call(s) associated with the application to be secured 34, at least one call to an unsecured function with a call to a corresponding function from the security library 24.

Additionally, the application for creating the execution environment 36 includes a component 54 for authenticating the user of the computing apparatus and recovering an unlocking key for the security library, and a component 56 for intercepting and filtering messages transmitted or received by the application to be secured 34.

The application for creating the execution environment 36 includes a component 58 for launching the application to be secured following the substitution of the call for the unsecure function by the call for the security function.

The application for creating the execution environment 36 is an application dedicated to the application(s) to be secured 34, and is distinct from the operating system 20.

The function for securing the data storage 37A is capable of protecting sensitive data stored in a memory area of the first memory 14, for example via cryptographic protection of the stored data. The protection is a confidentiality protection order to prohibit access to that data by an unauthorized person, and also integrity protection in order to prevent any modification of the content of that data.

The function for securing data exchanges 37B is capable of protecting data exchanges between the application to be secured 34 and the other computing apparatus, not shown.

The function for deleting debugging events 37C is capable of deleting the debugging events before they are recorded in the first memory 14, the debugging events being generated during the execution of tags contained in the code of the application to be secured 34. These debugging events, which are used to determine the code of the application before the code is finalized, are sometimes kept in the application code, and are then capable of causing a security breach.

The unsecure function library 48 is known by one skilled in the art. In the embodiments of an Android® operating system, the unsecure function library 48 is a library of function(s) written in the C/C++ computer language.

In the example embodiment of FIG. 1, the authentication and recovery component 54 is a component for calling the authentication application for the user and recovering the unlocking key encapsulated in the secondary package file 23. In other words, the authentication and recovery component 54 includes only one point of entry toward the application for authenticating the user and recovering the key.

Alternatively, the first memory 14 does not include the secondary package file, and the authentication and recovery component 54 of each application for creating the execution environment comprises the functionalities of the user authentication and unlocking key recovery application, and is capable of authenticating the user of the computing apparatus 10, then, in case of successful authentication, recovering the unlocking key from the security library 24.

The method for generating package files according to some embodiments will now be described using the flowchart in FIG. 3.

During the initial step 70, the application to be secured 34 and the initial configuration file are extracted from the initial package file.

The initial configuration file thus extracted is next used during the following step 75 to create the first configuration file 33 on the one hand and the second configuration file 35 on the other hand.

The first configuration file 33 is created by modifying the initial configuration file so that the application for creating the execution environment 36 is launched in place of the application to be secured 34 during the execution of the package files 22A, 22B.

The message filters, also called Intent filters, for the activities declared in the initial configuration file are for example deleted in the first configuration file 33.

Additionally, the name of the process declared in the first configuration file 33 is a predetermined name, and that process name will be the same in the second configuration file 35 in order to guarantee that the application to be secured 34 and the application for creating the execution environment 36 will be executed in the same process.

During step 75, the second configuration file 35 is also created from the initial configuration file. The second configuration file 35 for example contains the same component declarations as those contained in the initial configuration file. The components declared in the second configuration file 35 for example reiterate the same message filters as those specified in the initial configuration file for the corresponding components.

Additionally, at least one component declared in the first configuration file 33 and the second configuration file 35 is a content provider, and the content provider is declared in the second configuration file 35 with a higher priority than that of the content provider declared in the first configuration file 33. This higher priority order of the declaration of the content provider in the second configuration file 35 than the corresponding one in the first configuration file 33 makes it possible for the content provider of the application for creating the execution environment 36 to be launched before the content provider for the application to be secured 34.

Additionally, as previously indicated for the first configuration file 33, the name of the process declared in the second configuration file 35 is a predetermined name and is identical to that of the process declared in the first configuration file 33, in order to guarantee that the application to be secured 34 and the application for creating the execution environment 36 will be executed in the same process.

At the end of the creation of the first and second configuration files 33, 35, the binary file for the application for the dynamic creation of the execution environment 36 is created during the following step 80. The binary file created is such that the application for the dynamic creation of the execution environment 36 is suitable for implementing the loading of the security library 24, substituting, among one or more call function(s) associated with the application to be secured 34, at least one call to an unsecured function with a call to a corresponding function from the security library 24, and launching the application to be secured 34 after the substitution.

Additionally, the application for the dynamic creation of the execution environment 36 is adapted to lock the security library 24 previously loaded and the call function substitution(s) done.

Additionally, the application for creating the execution environment 36 is adapted to request authentication of the user of the computing apparatus 10, then in case of successful authentication, to recover a key to unlock the security library 24.

Additionally, the application for creating the execution environment 36 is suitable for intercepting and processing messages exchanged between the operating system and the application to be secured 34, the messages being processed by the security library 24. The intercepted messages in particular relate to the standby, the waking up of the application to be secured 34, the storage of data in the first memory 14 and the exchange of data with another computing apparatus.

During this step 80, the binary file of the application for the dynamic creation of the execution environment 36 thus created is next encapsulated with the second configuration file 35, previously created during step 75, in the second package file 22B.

During step 85, the first configuration file 33 and the binary file of the application to be secured 34 are encapsulated in the first package file 22A. One skilled in the art will observe that the binary file of the application to be secured 34 is not modified during the generation of the package files 22A, 22B using the generating method.

Additionally, the application for generating package files 25 also adds the security library 24 in the second package file 22B.

Additionally, during the optional step 90, each package file 22A, 22B generated is cryptographically protected with one or more cryptographic keys and using cryptographic protection component 47. In some embodiments, the cryptographic key(s) used are different from the cryptographic key that may have been used to protect the initial package file.

The cryptographic protection of the first package file 22A and the cryptographic protection of the second package file 22B are for example done using the same cryptographic key, which makes it possible to ensure that any other application seeking to pass itself off as the application to be secured 34 cannot be installed on the operating system 20. This other application, not having been cryptographically protected with the same key, may not be executed in the same process as the application for creating the execution environment 36.

The operation of the computing apparatus 10 will henceforth be explained using FIGS. 4 and 5.

Before being stored in the first memory 14, each package file 22A, 22B is created using the application for generating package files 25 as previously described.

FIG. 4 illustrates a method for the dynamic creation of an environment for running the application to be secured 34 implemented by the application for creating the execution environment 36.

During the initial step 100, the security library 24 is loaded so that the security functions 37A, 37B, 37C contained in the security library 24 are available for the virtual machine 28 during the subsequent launch of the application to be secured 34.

The application for creating the execution environment 36 next substitutes, during step 110, at least one call to an unsecure function, among the call(s) to functions associated with the application to be secured 34, with a call to a corresponding application 37A, 37B, 37C from the security library 24 previously loaded.

The substitution step 110 for example includes the deletion of the dynamic link between the application to be secured 34 and the unsecured function, and the creation of a dynamic substitution link between the application to be secured 34 and the corresponding function 37A, 37B, 37C of the security library 24.

In the described embodiment, all of the calls to a data storage function among the function calls associated with the application to be secured 34 are substituted with calls to the security function for data storage 37A.

All of the calls to a data exchange function with another computing apparatus among the function calls associated with the application to be secured 34 are substituted with calls to the data exchange security function 37B.

All of the calls to a function to add a debugging event among the function calls associated with the application to be secured 34 are substituted with calls to the function to delete debugging events 37C.

Additionally, the application for creating the execution environment 36 next, during step 115, locks the security library 24 loaded during step 100 and performs the function call substitution(s) done during the preceding step 110.

When the substitution step 110 is carried out via the introduction of a substitution function into the application to be secured itself or into the virtual machine 28 via a dynamic link, the substitution function coming from the application for creating the execution environment 36, the locking step for example consists of replacing the reference of the substitution function with a reference to a new substitution function.

The code corresponding to the code of steps 110 and 115, as well as to the new substitution function and the securing functions, is positioned in the security library 24. This new substitution function performs filtering on the substitution requests, refusing to substitute the function calls processed in step 110, and allowing the substitution of the other function calls.

Additionally, during step 120, the application for creating the execution environment 36 next requests the authentication of the user of the computing apparatus 10, and in case of successful authentication, recovers a key for unlocking the security library 24.

Additionally, during step 130, the application for creating the execution environment 36 intercepts and processes the messages exchanged between the operating system and the application to be secured, the messages being processed by the security library 24. The intercepted messages in particular relate to the placement in standby, the waking up of the application to be secured 34, the storage of data in the first memory 14 and the exchange of data with another computing apparatus.

The application for creating the execution environment 36 lastly, during step 140, launches the application to be secured 34.

After the application to be secured 34 is launched and through the substitution(s) of call functions previously done, the corresponding call(s) generated by the application to be secured 34 or for the application to be secured, optionally via the operating system 20, are first sent to the security library 24, and if the latter authorizes it, if needed to the unsecure library 48.

The creation of the environment for running the application to be secured 34 is dynamic because it is carried out each time the application is executed and following the reception by the operating system 20 of an order to run the application.

FIG. 5 is an illustration of the dynamic creation of the environment for executing the application to be secured 34 and the execution of the application.

Following reception by the operating system 20 of an order to execute the second package file 22B, the operating system begins by launching the component #A of the application for creating the execution environment 36 using the activity management service 49A (arrow F1), according to the information contained in the first and second configuration files 33, 35, so that the application for creating the execution environment 36 is launched in place of the application to be secured 34.

The application for creating the execution environment 36 downloads the security library 24 (arrow F2), according to the initial step 100 of the method for creating an execution environment. The security functions 37A, 37B, 37C contained in the security library are thus available for the subsequent actions of the virtual machine 28. The dynamic links between the application to be secured 34 and certain unsecured functions are deleted, and the corresponding dynamic substitution links are created between the application to be secured 34 and corresponding function 37A, 37B, 37C of the security library 24, according to step 110 previously described (arrow F3).

The component #A next requests, from the operating system, the launch of the corresponding component A of the application to be secured 34 (arrow F4). This request is intercepted by the security library 24 in order to request authentication of the user, then, in case of successful authentication, to recover the key to unlock the security library 24. In the event of successful authentication of the user, the request is transmitted to the activity management service 49A of the operating system (arrow F5).

The operating system 20 then launches the component A of the application to be secured 34 using the activity management system 49A, according to step 140 previously described (arrow F6). The launch is done in the same process as that of the application for creating the execution environment 36 according to the information contained in the first configuration file 33.

During the execution of the application to be secured 34, the application A requests, from the operating system 20, the launch of the component B, and the virtual machine 28 then directs that request to the security library 24 (arrow F7) through the preceding step for substituting dynamic links. The request is then modified by the security library 24 so that the operating system 20 launches the component #B instead of the component B of the application to be secured 34, then sent to the activity management service 49A (arrow F8). The operating system 20 then launches the component #B (arrow F9).

The component #B then requests, from the operating system, the launch of the corresponding component B of the application to be secured 34 (arrow F10). This request is intercepted by the security library 24 in order to perform the corresponding secure processing, then sent to the activity management service 49A of the operating system (arrow F11).

The operating system 20 then launches the component B of the application to be secured 34 using the activity management service 49A (arrow F12). The component B, next wishing to store a data file, to that end calls a storage function (arrow F13). Through the preceding dynamic link substitution step, the security function for the data storage 37A of the security library is then automatically called, and the data file is encrypted by the security function 37A before being stored in the first memory 14 (arrow F14).

One skilled in the art will understand that if the component had wished to exchange data with another computing apparatus and had to that end called a data exchange function, then the data exchange security function 37B would similarly have been called automatically through the preceding step for substituting dynamic links.

One skilled in the art will also understand that if the component had wished to add debugging events and had to that end called a function for adding debugging events, then the function for deleting debugging events 37C would similarly have been called automatically through the preceding step for substituting dynamic links.

In the example embodiment of FIG. 5, the different requests described are done in administrator mode and then pass through the kernel 26. One skilled in the art will understand that certain requests may alternatively be made in user mode without passing through the kernel 26.

The computing apparatus 10, via the implementation of the method for dynamically creating the environment for executing the application to be secured 34 using the application for creating the execution environment 36, therefore makes it possible to secure the operation of the application 34, in particular regarding the launch of the components, the storage of data or the exchange of data with another computing apparatus, the latter being automatically encrypted via the appropriate functions of the security library 24.

This securing of the application 34 only requires rewriting the configuration file of the application (called Manifest file in the case of Android®), adding the application for creating the execution environment 36, the latter being encapsulated in the second package file 22B, or alternatively with the application 34 in the first package file 22A, as will be described below in the second embodiment, and adding the security library 24, if the set of libraries 27 does not already include such a library.

One skilled in the art will note that this securing does not require any modification of the source or binary code of the application to be secured 34, or any modification of the operating system 20.

FIG. 6 illustrates a second embodiment, for which the elements similar to the first embodiment, previously described, are identified by identical references, and are not described again.

According to the second embodiment, at least one so-called sensitive package file is in the form of a single package file, namely the first package file 22A. The first package file 22A then includes the first configuration file 33, the application to be secured 34 and the application for the dynamic creation of the execution environment 36. Similarly to the first embodiment, the application to be secured 34 and the application for the dynamic creation of the execution environment 36 are for example in the form of binary files.

The method for generating only the package file 22A according to the second embodiment will now be described using the flowchart in FIG. 6.

During the initial step 170, the application to be secured 34 and the initial configuration file are extracted from the initial package file using extraction component 40.

The initial configuration file thus extracted is next used during the following step 175 to create the first configuration file 33.

The first configuration file 33 is created by modifying the initial configuration file so that the application for creating the execution environment 36 is launched in place of the application to be secured 34 during the execution of the package file 22A.

The first configuration file 33 for example contains the same component declarations as those contained in the initial configuration file. The components declared in the first configuration file 33 for example reiterate the same message filters as those specified in the initial configuration file for the corresponding components.

The message filters, also called Intent filters, for the activities declared in the initial configuration file are for example renamed in the first configuration file 33, so as to prevent other applications from being able to modify those message filters.

Additionally, the components are declared in the first configuration file 33 as not being exportable.

Additionally, the name of the process declared in the first configuration file 33 is a predetermined name, in order to control how the computing apparatus 10 identifies the process.

At the end of the creation of the first configuration file 33, the binary file of the application for the dynamic creation of the execution environment 36 is created during the following step 180. The binary file created is such that the application for the dynamic creation of the execution environment 36 is suitable for implementing the loading of the security library 24, substituting, from among one or more function calls associated with the application to be secured 34, at least one unsecured function call with a corresponding function call to the security library 24, and launching the application to be secured 34 after the substitution.

Additionally, the application for the dynamic creation of the execution environment 36 is suitable for locking the previously loaded security library 24 and the function call substitution(s) done.

Additionally, the application for creating the execution environment 36 is suitable for requesting authentication of the user of the computing apparatus 10, then, in case of successful authentication, recovering a key to unlock the security library 24.

Additionally, the application for creating the execution environment 36 is suitable for intercepting and processing messages exchanged between the operating system and the application to be secured 34, the messages being processed by the security library 24. The intercepted messages in particular relate to the standby, waking up of the application to be secured 34, the storage of data in the first memory 14 and the exchange of data with another computing apparatus.

During a following step 185, the binary file of the application for the dynamic creation of the execution environment 36 thus created is next encapsulated with the first configuration file 33, previously created during step 175, and with the binary file of the application to be secured 34 in the first package file 22A. One skilled in the art will observe that the binary file of the application to be secured 34 is not modified during the generation of the package file 22A using the generation method.

During the encapsulating step 185, the binary file of the application for the dynamic creation of the execution environment 36 is stored in the default location provided for a binary file in the package file. The binary file of the application to be secured 34 is stored in a secondary location, which also makes it possible for the application to create the execution environment 36 to be launched in place of the application to be secured 34 during the execution of the package file 22A.

Additionally, the application for generating the package file(s) 25 also adds the security library 24 into the package file 22A.

Additionally, during the optional step 190, the package file 22A generated is cryptographically protected with a protection key and using cryptographic component 47.

The operation of the computing apparatus 10 according to this second embodiment is identical to that described for the first embodiment in light of FIGS. 4 and 5.

The advantages of the second embodiment are similar to those of the first embodiment previously described, and are not described again. The generating method according to this second embodiment further has the advantage of generating a single package file 22A to secure the application to be secured 34. This then makes it possible to simplify the installation procedure at the operating system 20, and more generally to simplify the deployment of this securing solution for the application to be secured 34.

One can see that the generating method according to at least one embodiment makes it possible to secure the application 34 during the execution of the package file while limiting the modifications of the code of the operating system, the application environment and the application to be secured 34.

Although the method for generating package files and the method for the dynamic creation of the execution environment of the application to be secured, as well as the computing device and the computing apparatus, have been described in relation to an operating system including a virtual machine capable of executing the application, one skilled in the art will understand that some embodiments can also apply to an operating system not including a virtual machine, the application then being executed directly by the processor of the information processing unit.

According to another aspect, at least one embodiment relates to a method for the dynamic creation of an execution environment for the application to be secured 34 to secure the application 34, the method being implemented by the computing apparatus 10 comprising the information processing unit 12 and the memory 14, the memory 14 being associated with the information processing unit 12 and including the operating system 20, the application to be secured 34 and the security library 24 including at least one security function 37A, 37B, 37C, the operating system 20 including the set 27 of function libraries comprising the unsecured function library 48, the application to be secured 34 being, during its execution, designed to call a function of the unsecured function library 48.

The method for the dynamic creation of the execution environment comprises the following steps, implemented through the application of the dynamic creation of the execution environment 36 stored in the memory 14: loading 100 the security library 24, substituting 110, among the function call(s) associated with the application to be secured 34, at least one call to an unsecured function with a call to a corresponding function 37A, 37B, 37C of the security library 24, and launching 140 the application to be secured 34 after the substitution step 110.

Additionally and optionally, the substitution step 110 includes the deletion of a dynamic link between the application to be secured 34 and the unsecured function, and the creation of the dynamic substitution link between the application to be secured 34 and the corresponding function 37A, 37B, 37C of the security library 24.

Additionally and optionally, among the function call(s) associated with the application to be secured 34, all of the calls to a data storage function are substituted with calls to the function 37A for securing the data storage.

Additionally and optionally, among the function call(s) associated with the application to be secured 34, all of the calls to the data exchange function with another computing apparatus are substituted with calls to the function 37B to secure data exchanges with the other computing apparatus.

Additionally and optionally, among the function call(s) associated with the application to be secured 34, all of the calls to a debugging event addition function are substituted with calls to the function 37C for deleting debugging events.

Additionally and optionally, the method for the dynamic creation of the execution environment further comprises, for the step for launching the application 140, the step 115 for locking the security library 24 loaded during the loading step 100 and the function call substitution(s) done during the substitution step 110.

Additionally and optionally, the method for the dynamic creation of the execution environment further comprises, for the step for launching the application 140, the step 120 for authenticating the user of the computing apparatus 10 and recovering the key to unlock the security library 24.

Additionally and optionally, the method for the dynamic creation of the execution environment further comprises, for the step for launching the application 140, the step 130 for intercepting a message exchange between the operating system 20 and the application to be secured 34, and processing the message using the corresponding function of the security library 24.

The application for creating the execution environment 36 is preferably an application dedicated to the application(s) to be secured 34, and is distinct from the operating system 20.

According to this other aspect, at least one embodiment also relates to a computer program product including software instructions which, when implemented by the information processing unit 12 integrated into the computing apparatus 10, implements the method for the dynamic creation of the execution environment as defined above.

According to this other aspect, at least one embodiment also relates to the computing apparatus 10 comprising the information processing unit 12, and the memory 14 including the operating system 20, at least one application to be secured 34 and the security library 24 including at least one security function 37A, 37B, 37C, the memory 14 being associated with the information processing unit 12.

The operating system 20 including the set 27 of function libraries comprising the unsecured function library 48, the application to be secured 34 being designed to call a function of the unsecured function library 48.

The memory 14 further includes the application 36 for the dynamic creation of the execution environment for the application to be secured 34, the application for the creation of the execution environment 36 including the component 50 for loading the security library 24, the component 52 for substituting, among the function call(s) associated with an application to be secured 34, at least one call to an unsecured function with a call to a corresponding function 37A, 37B, 37C of the security library 24, and component 58 for launching the application to be secured 34 after the substitution of the unsecured function call by the call to the security function 37A, 37B, 37C.

While there have been shown and described and pointed out the fundamental novel features of the invention as applied to certain inventive embodiments, it will be understood that the foregoing is considered as illustrative only of the principles of the invention and not intended to be exhaustive or to limit the invention to the precise forms disclosed. Obvious modifications or variations are possible in light of the above teachings. The embodiments discussed were chosen and described to provide the best illustration of the principles of the invention and its practical application to enable one of ordinary skill in the art to utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplate. All such modifications and variations are within the scope of the invention as determined by the appended claims when interpreted in accordance with the breadth to which they are entitled.

Claims

1. A method for generating, from an initial package file comprising an application to be secured and an initial configuration file, at least one package file for securing the application, the generating method being implemented by a computing device comprising an information processing unit and a memory,

wherein the method is carried out by an application for generating package files, the application being stored in the memory of the computing device, and wherein the method comprises:
extracting, from the initial package file, the application to be secured and the initial configuration file;
creating a first configuration file from the initial configuration file;
creating an application for dynamically creating an execution environment for the application to be secured, wherein the application for the dynamic creation of the execution environment is configured to implement the loading of a security library, substitute, from a function call or function calls associated with the application to be secured, of at least one call to an unsecured function with a call to a corresponding function of the security library, and launch the application to be secured after the substitution; and
encapsulating the first configuration file and the application to be secured in a first package file, wherein the application for the dynamic creation of the execution environment is encapsulated in the first package file or in a second package file, the second package file including the application for the dynamic creation of the execution environment and a second configuration file.

2. The method according to claim 1, wherein the creating of the first configuration file further comprises modifying the initial configuration file so that the application for creating the execution environment is launched in place of the application to be secured during the execution of the corresponding package file.

3. The method according to claim 1, wherein the first package file includes the first configuration file and the application to be secured, and the second package file includes the second configuration file and the application for creating the execution environment,

wherein each application among the application to be secured and the application for creating the execution environment comprises at least one component, each configuration file containing one or more component declarations, and
wherein the method further comprises creating the second configuration file, the second configuration file containing the same component declarations as the initial configuration file.

4. The method according to claim 3, wherein at least one declared component in each configuration file is a content provider, and the content provider is declared in the second configuration file with a higher priority than that of the content provider declared in the first configuration file, so that the content provider of the application for creating the execution environment is launched before the content provider of the application to be secured.

5. The method according to claim 1, wherein the first package file includes the first configuration file and the application to be secured, the second package file includes the second configuration file and the application for creating the execution environment,

wherein the initial configuration file includes activity declarations and message filters associated with the declared activities, and
wherein the creating of the first configuration file further comprises deleting the message filters for the activities declared in the initial configuration file in the first configuration file.

6. The method according to claim 1, wherein the first package file includes the first configuration file, the application to be secured and the application for creating the execution environment, and the first package file is configured so that the application for creating the execution environment is launched before the application to be secured.

7. The method according to claim 1, wherein, the application for the dynamic creation of the execution environment, created during the creation step, is further configured to filter the interactions between the application to be secured and other unsecured applications or interactions between the application to be secured and the operating system according to the predefined filtering rules in the application for the dynamic creation of the execution environment.

8. The method according to claim 1, wherein the method further comprises cryptographically protecting, with at least one protection key, the generated package files.

9. The method according to claim 8, wherein the first package file includes the first configuration file and the application to be secured, and the second package file includes the second configuration file and the application for creating the execution environment, and

wherein, during the cryptographic protection step, the cryptographic protection of the first package file and the cryptographic protection of the second package file are done with the same protection key.

10. A computer program product including software instructions which, when implemented by an information processing unit integrated into a computer device, implements the generating method according to claim 1.

11. A computing device comprising an information processing unit and a memory that is associated with the information processing unit,

wherein the memory includes an application configured to generate, from an initial package file including an application to be secured and an initial configuration file, at least one package file for securing the application,
the application for generating package file(s) including: an extraction component configured to extract the application to be secured and the initial configuration file from the initial package file, a first creation component configured to create a first configuration file from the initial configuration file, a second creation component configured to create an application for the dynamic creation of an execution environment for the application to be secured, wherein the application for the dynamic creation of the execution environment is configured to implement the loading of a security library, substitute, from among one or more function call(s) associated with an application to be secured, at least one call to an unsecured function with a call to a corresponding function of the security library, and launch the application to be secured after the substitution step, and an encapsulation component configured to encapsulate the first configuration file and the application to be secured in a first package file, wherein the application for the dynamic creation of the execution environment is encapsulated in the first package file or in a second package file, the second package file then including the application for the dynamic creation of the execution environment and a second configuration file.
Patent History
Publication number: 20140223426
Type: Application
Filed: Apr 4, 2014
Publication Date: Aug 7, 2014
Applicant: THALES (Neuilly Sur Seine)
Inventors: Ben Youcef Ech-Chergui (Cholet), Adrien Bioteau (Cholet)
Application Number: 14/245,923
Classifications
Current U.S. Class: Software Installation (717/174)
International Classification: G06F 9/445 (20060101); G06F 21/52 (20060101);