Systems and methods for classifying permissions on mobile devices

US 10,114,944 B1
Filed: 11/12/2015
Issued: 10/30/2018
Est. Priority Date: 11/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for classifying permissions on mobile devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting, by the at least one processor, that an application installed and executing on a mobile device is issuing a request, through an operating system of the mobile device, for one or more requested permissions to access one or more components of the mobile device that would otherwise be blocked by the operating system of the mobile device;

determining, by the at least one processor, an intended use of the application;

in response to detecting that the application is issuing the request, performing, by the at least one processor and through a security system distinct from the application and the operating system, an analysis of the request being issued by the application at least in part by determining whether the intended use of the application corresponds to an expected use of the one or more requested permissions; and

providing, by the at least one processor via a graphical user interface and prior to an end user of the mobile device granting the one or more requested permissions to the application, a result of the analysis to the end user of the mobile device that indicates a security implication that would be caused by the end user granting the one or more requested permissions to the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for classifying permissions on mobile devices may include (1) detecting that an application executing on a mobile device is issuing a request for one or more requested permissions to access one or more components of the mobile device, (2) determining an intended use of the application, (3) performing, through a security system distinct from the application and the operating system, an analysis of the request issued by the application at least in part by determining whether the intended use of the application corresponds to an expected use of the requested permission, and (4) providing, via a graphical user interface, a result of the analysis to an end user of the mobile device that indicates a security implication caused by granting the one or more requested permissions to the application. Various other methods, systems, and computer-readable media are also disclosed.

17 Citations

View as Search Results

20 Claims

1. A computer-implemented method for classifying permissions on mobile devices, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, by the at least one processor, that an application installed and executing on a mobile device is issuing a request, through an operating system of the mobile device, for one or more requested permissions to access one or more components of the mobile device that would otherwise be blocked by the operating system of the mobile device;
  
  determining, by the at least one processor, an intended use of the application;
  
  in response to detecting that the application is issuing the request, performing, by the at least one processor and through a security system distinct from the application and the operating system, an analysis of the request being issued by the application at least in part by determining whether the intended use of the application corresponds to an expected use of the one or more requested permissions; and
  
  providing, by the at least one processor via a graphical user interface and prior to an end user of the mobile device granting the one or more requested permissions to the application, a result of the analysis to the end user of the mobile device that indicates a security implication that would be caused by the end user granting the one or more requested permissions to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein performing the analysis comprises:
    - identifying a permission intent category of the requested permission that describes the expected use of the requested permission;
      
      identifying, based at least in part on the intended use of the application, an application intent category of the application that classifies applications that are similar to each other by intended use; and
      
      comparing the permission intent category to the application intent category.
  - 3. The method of claim 1, wherein determining the intended use of the application comprises at least one of:
    - performing a static analysis of code of the application; and
      
      querying an application store that hosts the application.
  - 4. The method of claim 1, wherein performing the analysis of the request comprises determining, across a plurality of mobile devices, at least one of:
    - a frequency at which instances of the application request the requested permission; and
      
      a frequency at which instances of the application utilize the requested permission.
  - 5. The method of claim 1, wherein performing the analysis of the request comprises comparing permissions requested by a previous version of the application to permissions requested by a current version of the application.
  - 6. The method of claim 1, further comprising compiling a list of permissions requested by a plurality of instances of the application that each executed on a separate mobile device, wherein performing the analysis of the request comprises determining, by searching the list of permissions, whether any application instance has previously requested the requested permission.
  - 7. The method of claim 1, further comprising compiling a list of permissions requested by other applications that are classified under a same intent category as the application, wherein performing the analysis of the request comprises determining, by searching the list of permissions, whether any of the other applications have previously requested the requested permission.
  - 8. The method of claim 1, wherein the component of the mobile device comprises at least one of:
    - information stored on the mobile device;
      
      a hardware component of the mobile device;
      
      a network interface of the mobile device; and
      
      an application programming interface of the mobile device.
  - 9. The method of claim 1, wherein performing the analysis of the request comprises determining that denying access to the requested permission will not adversely affect intended operation of the application.
  - 10. The method of claim 1, wherein the result of the analysis comprises a trust score for the requested permission that indicates a level of confidence in the requested permission being safe to grant to the application.

11. A system for classifying permissions on mobile devices, the system comprising:
- a detection module, stored in a memory of the system, that detects that an application installed and executing on a mobile device is issuing a request, through an operating system of the mobile device, for one or more requested permissions to access one or more components of the mobile device that would otherwise be blocked by the operating system of the mobile device;
  
  a determination module, stored in the memory, that determines an intended use of the application;
  
  a performing module, stored in the memory, that, in response to detecting that the application is issuing the request, performs, through a security system distinct from the application and the operating system, an analysis of the request issued by the application at least in part by determining whether the intended use of the application corresponds to an expected use of the one or more requested permissions;
  
  a providing module, stored in the memory, that provides, via a graphical user interface and prior to an end user of the mobile device granting the one or more requested permissions to the application, a result of the analysis to the end user of the mobile device that indicates a security implication that would be caused by the end user granting the one or more requested permissions to the application; and
  
  at least one physical computing processor configured to execute the detection module, the determination module, the performing module, and the providing module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the performing module:
    - identifies a permission intent category of the requested permission that describes the expected use of the requested permission;
      
      identifies an application intent category of the application that classifies applications that are similar to each other by intended use; and
      
      compares the permission intent category to the application intent category.
  - 13. The system of claim 11, wherein the determination module determines an intended use of the application by at least one of:
    - performing a static analysis of code of the application; and
      
      querying an application store that hosts the application.
  - 14. The system of claim 11, wherein the performing module performs the analysis of the request by determining, across a plurality of mobile devices, at least one of:
    - a frequency at which instances of the application request the requested permission; and
      
      a frequency at which instances of the application utilize the requested permission.
  - 15. The system of claim 11, wherein the performing module performs the analysis of the request by comparing permissions requested by a previous version of the application to permissions requested by a current version of the application.
  - 16. The system of claim 11:
    - further comprising a compiling module, stored in memory, that compiles a list of permissions requested by a plurality of instances of the application that each executed on a separate mobile device; and
      
      wherein the performing module performs the analysis of the request by determining, by searching the list of permissions, whether any application instance has previously requested the requested permission.
  - 17. The system of claim 11:
    - further comprising a compiling module, stored in memory, that compiles a list of permissions requested by other applications that are classified under a same intent category as the application; and
      
      the performing module performs the analysis of the request by determining, by searching the list of permissions, whether any of the other applications have previously requested the requested permission.
  - 18. The system of claim 11, wherein the component of the mobile device comprises at least one of:
    - information stored on the mobile device;
      
      a hardware component of the mobile device;
      
      a network interface of the mobile device; and
      
      an application programming interface of the mobile device.
  - 19. The system of claim 11, wherein the performing module performs the analysis of the request by determining that denying access to the requested permission will not adversely affect intended operation of the application.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect, by the at least one processor, that an application installed and executing on a mobile device is issuing a request, through an operating system of the mobile device, for one or more requested permissions to access one or more components of the mobile device that would otherwise be blocked by the operating system of the mobile device;
  
  determine, by the at least one processor, an intended use of the application;
  
  in response to detecting that the application is issuing the request, perform, by the at least one processor and through a security system distinct from the application and the operating system, an analysis of the request being issued by the application at least in part by determining whether the intended use of the application corresponds to an expected use of the one or more requested permissions; and
  
  provide, by the at least one processor via a graphical user interface and prior to an end user of the mobile device granting the one or more requested permissions to the application, a result of the analysis to the end user of the mobile device that indicates a security implication that would be caused by the end user granting the one or more requested permissions to the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Li, Jinghao, Chen, Joseph
Primary Examiner(s)
Brown, Christopher J

Application Number

US14/938,874
Time in Patent Office

1,083 Days
Field of Search

726 17
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/629   to features or functions of...

G06F 2221/033   Test or assess software

Systems and methods for classifying permissions on mobile devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for classifying permissions on mobile devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links