Secured inter-application communication in mobile devices

US 10,148,640 B2
Filed: 09/12/2016
Issued: 12/04/2018
Est. Priority Date: 10/01/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for accessing network resources using single sign-in information, comprising:

receiving, by a first application in a mobile computing device, sign-in information from a user; and

enabling the user to sign in to a second application, in the mobile computing device, with the first application to allow the second application to access network resources on behalf of the user from the resource server based on (a) a first application identification (ID) of the second application, the first application ID being associated with an application distribution server storing the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an access token from the resource server to allow the second application to access the network resources, the second application being configured to generate an encryption key pair including a public key and a private key, the public key being communicated to the first application with a second application identification (ID) assigned to the second application by the resource server during registration of the second application with the resource server, the mobile computing device coupled with the resource server and distribution server via a network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This disclosure describes a method for accessing network resources which includes receiving by a first application in a mobile computing device sign-in information from a user and enabling the user to sign in to a second application with the first application to access network resources from a resource server based on (a) a first application identification (ID) of the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an authorization grant from the resource server to enable the second application to access the network resources, the mobile computing device coupled with the resource server via a network.

Citations

19 Claims

1. A computer-implemented method for accessing network resources using single sign-in information, comprising:
- receiving, by a first application in a mobile computing device, sign-in information from a user; and
  
  enabling the user to sign in to a second application, in the mobile computing device, with the first application to allow the second application to access network resources on behalf of the user from the resource server based on (a) a first application identification (ID) of the second application, the first application ID being associated with an application distribution server storing the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an access token from the resource server to allow the second application to access the network resources, the second application being configured to generate an encryption key pair including a public key and a private key, the public key being communicated to the first application with a second application identification (ID) assigned to the second application by the resource server during registration of the second application with the resource server, the mobile computing device coupled with the resource server and distribution server via a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising communicating the first application ID to a verification server to verify that the second application is the trusted application, the mobile computing device being coupled with the verification server via the network.
  - 3. The method of claim 1, further comprising:
    - submitting a request, by the first application, for an authorization from the resource server, wherein the request includes (a) the second application ID assigned to the second application and the public key, and (b) a redirect link to an entry point in the second application; and
      
      receiving, by the first application, an authorization grant from the resource server based on the second application ID having been verified by the resource server.
  - 4. The method of claim 3, further comprising:
    - receiving, by the first application, an authorization by the user to authorize the second application to access the resources from the resource server on behalf of the user; and
      
      communicating, by the first application, the authorization by the user and the authorization grant to the resource server.
  - 5. The method of claim 4, further comprising:
    - receiving, by the first application, an access token from the resource server, the access token to be used by the second application to access the resources in the resource server on behalf of the user;
      
      encrypting, by the first application, the access token using the public key received from the second application; and
      
      communicating the encrypted access token, by the first application, to the second application.
  - 6. The method of claim 5, further comprising:
    - decrypting the encrypted access token, by the second application, using the private key to generate a decrypted access token;
      
      using the decrypted access token, by the second application, to access the network resources from the resource server; and
      
      delivering the network resources, by the second application, to the user.
  - 7. The method of claim 6, wherein communication between the first application and the second application is based on an inter-process communication (IPC) protocol.

8. A computer program product, comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to implement a method comprising:
- receiving, by a first application in a mobile computing device, sign-in information from a user; and
  
  enabling the user to sign in to a second application, in the mobile computing device, with the first application to allow the second application to access network resources on behalf of the user from the resource server based on (a) a first application identification (ID) of the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an access token from the resource server to allow the second application to access the network resources, the second application being configured to generate an encryption key pair including a public key and a private key, the public key being communicated to the first application with a second application identification (ID) assigned to the second application by the resource server during registration of the second application with the resource server, the mobile computing device coupled with the resource server and distribution server via a network.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, further comprising communicating the first application ID to a verification server to verify that the second application is a trusted application, the mobile computing device being coupled with the verification server via the network.
  - 10. The computer program product of claim 8, further comprising:
    - submitting a request, by the first application, for an authorization from the resource server, wherein the request includes (a) the second application ID assigned to the second application and the public key, and (b) a redirect link to an entry point in the second application;
      
      receiving, by the first application, an authorization grant from the resource server based on the second application ID having been verified by the resource server;
      
      receiving, by the first application, an authorization by the user to authorize the second application to access the resources from the resource server on behalf of the user; and
      
      communicating, by the first application, the authorization by the user and the authorization grant to the resource server.
  - 11. The computer program product of claim 10 further comprising:
    - receiving, by the first application, an access token from the resource server, the access token to be used by the second application to access the resources in the resource server on behalf of the user;
      
      encrypting, by the first application, the access token using the public key received from the second application; and
      
      communicating the encrypted access token, by the first application, to the second application.
  - 12. The computer program product of claim 11, further comprising:
    - decrypting the encrypted access token, by the second application, using the private key to generate a decrypted access token;
      
      using the decrypted access token, by the second application, to access the network resources from the resource server; and
      
      delivering the network resources, by the second application, to the user.

13. An apparatus comprising:
- one or more processors; and
  
  a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to;
  
  receive, by a first application in a mobile computing device, sign-in information from a user; and
  
  enable the user to sign in to a second application, in the mobile computing device, with the first application to allow the second application to access network resources on behalf of the user from the resource server based on (a) a first application identification (ID) of the second application, the first application ID being associated with an application distribution server storing the second application, (b) the user authorizing the second application to the resource server, and (c) receiving an access token from the resource server to allow the second application to access the network resources, the second application being configured to generate an encryption key pair including a public key and a private key, the public key being communicated to the first application with a second application identification (ID) assigned to the second application by the resource server during registration of the second application with the resource server, the mobile computing device coupled with the resource server and distribution server via a network.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The apparatus of claim 13, further comprising instructions, which when executed, will cause the one or more processors to communicate the first application ID to a verification server to verify that the second application is the trusted application, the mobile computing device being coupled with the verification server via the network.
  - 15. The apparatus of claim 13, further comprising instructions, which when executed, will cause the one or more processors to:
    - submit a request, by the first application, for an authorization from the resource server, wherein the request includes (a) the second application ID assigned to the second application and the public key, and (b) a redirect link to an entry point in the second application; and
      
      receive, by the first application, an authorization grant from the resource server based on the second application ID having been verified by the resource server.
  - 16. The apparatus of claim 15, further comprising instructions, which when executed, will cause the one or more processors to:
    - receive, by the first application, an authorization by the user to authorize the second application to access the resources from the resource server on behalf of the user; and
      
      communicate, by the first application, the authorization by the user and the authorization grant to the resource server.
  - 17. The apparatus of claim 16, further comprising instructions, which when executed, will cause the one or more processors to:
    - receive, by the first application, an access token from the resource server, the access token to be used by the second application to access the resources in the resource server on behalf of the user;
      
      encrypt, by the first application, the access token using the public key received from the second application; and
      
      communicate the encrypted access token, by the first application, to the second application.
  - 18. The apparatus of claim 17, further comprising instructions, which when executed, will cause the one or more processors to:
    - decrypt the encrypted access token, by the second application, using the private key to generate a decrypted access token;
      
      use the decrypted access token, by the second application, to access the network resources from the resource server; and
      
      deliver the network resources, by the second application, to the user.
  - 19. The apparatus of claim 18, wherein communication between the first application and the second application is based on an inter-process communication (IPC) protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Desai, Sachin, Liu, Qingqing, Fischer, Ronald
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/262,518
Publication Number

US 20160381002A1
Time in Patent Office

813 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 9/54   Interprogram communication

G06F 9/544   Buffers; Shared memory; Pipes

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 63/126   the source of the received ...

H04W 12/06   Authentication

Secured inter-application communication in mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secured inter-application communication in mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links