Assessing application authenticity and performing an action in response to an evaluation result

US 10,256,979 B2
Filed: 12/13/2013
Issued: 04/09/2019
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a server, over a communication network from a second computing device, a known signing identifier of a known source;

storing, by the server, component data for at least one known component of the known source;

receiving, by the server, from a first computing device, a first signing identifier for a first application to be installed on the first computing device, wherein a third computing device provides the first application for installation on the first computing device;

receiving, by the server, from the third computing device, a first package identifier of the first application;

in response to receiving the first signing identifier from the first computing device;

challenging the known source to authenticate itself, the challenge comprising sending data to the second computing device to be signed with a private key, receiving the signed data from the second computing device, and confirming the signed data corresponds to the known signing identifier;

in response to confirming the signed data corresponds to the known signing identifier;

identifying a first plurality of applications other than the first application that are each signed with the known signing identifier, andidentifying a second plurality of applications that are each similar to the first application and are each signed with a signing identifier that is different from the known signing identifier, wherein the identifying comprises making a comparison between a characteristic of the component data attributable to a component associated with the first package identifier and a characteristic that has been identified in the first application, and determining that each of the second plurality of applications uses the at least one known component of the known source; and

evaluating, by the server, authenticity of the first application to provide a result, the evaluating comprising determining that the at least one known component is similar to at least one first component of the first application, the similarity based on comparing a structural characteristic of the at least one first component to the component data for the at least one known component, and determining that the first signing identifier is different from the known signing identifier, wherein the evaluating is further based on a plurality of inputs comprising a history of prior usage of the first signing identifier to sign a known bad application other than the first application; and

in response to the result, sending, by the server, over the communication network, at least one electronic communication to the first computing device to block installation of the first application on the first computing device, and sending at least one communication to the second computing device regarding usage of the at least one known component in the first application, wherein the at least one communication further identifies the first plurality of applications and the second plurality of applications.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authenticity of a new application being installed on a mobile device is evaluated to provide a result. The evaluation uses a plurality of inputs. In response to the result, an action is performed (e.g., on the mobile device itself and/or a server performing or assisting with the evaluation). For example, the evaluating may be done for an application that a user of the mobile device desires to install from an application marketplace. In another example, the action is sending of a notification to the mobile device, and the notification includes an assessment of authenticity of the new application.

Citations

26 Claims

1. A method, comprising:
- receiving, by a server, over a communication network from a second computing device, a known signing identifier of a known source;
  
  storing, by the server, component data for at least one known component of the known source;
  
  receiving, by the server, from a first computing device, a first signing identifier for a first application to be installed on the first computing device, wherein a third computing device provides the first application for installation on the first computing device;
  
  receiving, by the server, from the third computing device, a first package identifier of the first application;
  
  in response to receiving the first signing identifier from the first computing device;
  
  challenging the known source to authenticate itself, the challenge comprising sending data to the second computing device to be signed with a private key, receiving the signed data from the second computing device, and confirming the signed data corresponds to the known signing identifier;
  
  in response to confirming the signed data corresponds to the known signing identifier;
  
  identifying a first plurality of applications other than the first application that are each signed with the known signing identifier, andidentifying a second plurality of applications that are each similar to the first application and are each signed with a signing identifier that is different from the known signing identifier, wherein the identifying comprises making a comparison between a characteristic of the component data attributable to a component associated with the first package identifier and a characteristic that has been identified in the first application, and determining that each of the second plurality of applications uses the at least one known component of the known source; and
  
  evaluating, by the server, authenticity of the first application to provide a result, the evaluating comprising determining that the at least one known component is similar to at least one first component of the first application, the similarity based on comparing a structural characteristic of the at least one first component to the component data for the at least one known component, and determining that the first signing identifier is different from the known signing identifier, wherein the evaluating is further based on a plurality of inputs comprising a history of prior usage of the first signing identifier to sign a known bad application other than the first application; and
  
  in response to the result, sending, by the server, over the communication network, at least one electronic communication to the first computing device to block installation of the first application on the first computing device, and sending at least one communication to the second computing device regarding usage of the at least one known component in the first application, wherein the at least one communication further identifies the first plurality of applications and the second plurality of applications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15)
- - 2. The method of claim 1, further comprising receiving the first package identifier from the first computing device.
  - 3. The method of claim 2, further comprising receiving the first application from the first computing device.
  - 4. The method of claim 2, wherein the first signing identifier is one of a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key.
  - 5. The method of claim 1, wherein the plurality of inputs further comprises receipt, from the second computing device, of an indication of ownership in the at least one known component.
  - 6. The method of claim 5, wherein the plurality of inputs further comprises a model.
  - 7. The method of claim 1, further comprising comparing the first signing identifier to a signing key, of the known source, in a registry of known signing keys.
  - 8. The method of claim 7, wherein the registry comprises a plurality of package identifiers, each identifier associated with a respective one of the known signing keys, the method further comprising comparing the first package identifier of the first application to the plurality of package identifiers.
  - 9. The method of claim 1, wherein the result from the evaluating is a score, and the sending the at least one electronic communication is based on a comparison of the score to a threshold.
  - 10. The method of claim 1, wherein the evaluating authenticity of the first application further comprises identifying at least one known application having at least one of an identical package identifier, code similarity, identical strings, similar strings, identical media assets, or similar media assets.
  - 11. The method of claim 1, further comprising building or updating a data set about the first application, and the evaluating further comprising using the data set.
  - 12. The method of claim 1, further comprising storing information about the first application in a data repository, and the evaluating further comprising accessing the data repository.
  - 15. The method of claim 1, wherein the third computing device is an application marketplace.

13. A system, comprising:
- a data repository to store component data for at least one known component of a known source;
  
  at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive, from a second computing device, a known signing identifier of the known source;
  
  receive, from a first computing device, a first signing identifier for a first application, wherein a third computing device provides the first application for installation on the first computing device;
  
  challenge the known source to authenticate itself, the challenge comprising sending data to the second computing device to be signed with a private key, receiving the signed data from the second computing device, and confirming the signed data corresponds to the known signing identifier;
  
  in response to confirming the signed data corresponds to the known signing identifier;
  
  identify a first plurality of applications that are each similar to the first application and are each signed with a signing identifier that is different from the known signing identifier, wherein the identifying comprises making a comparison between a characteristic of the component data and a characteristic that has been identified in the first application, and determining that each of the first plurality of applications uses the at least one known component of the known source;
  
  evaluate authenticity of the first application to provide a result, the evaluating comprising determining that the at least one known component is similar to at least one first component of the first application, the similarity based on comparing a structural characteristic of the at least one first component to the component data for the at least one known component, and determining that the first signing identifier is different from the known signing identifier, wherein the evaluating is further based on a plurality of inputs comprising a history of prior usage of the first signing identifier to sign a known bad application other than the first application; and
  
  in response to the result, sending at least one electronic communication to the first computing device to block installation of the first application on the first computing device, and sending at least one communication to the second computing device regarding usage of the at least one known component, wherein the at least one communication further identifies the first plurality of applications.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to receive a first package identifier from the first computing device.
  - 17. The system of claim 16, wherein the instructions are further configured to instruct the at least one processor to receive the first application from the first computing device.
  - 18. The system of claim 16, wherein the first signing identifier is one of a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key.
  - 19. The system of claim 13, wherein the plurality of inputs further comprises receipt, from the second computing device, of an indication of ownership in the at least one known component.
  - 20. The system of claim 19, wherein the plurality of inputs further comprises a model.
  - 21. The system of claim 13, wherein the instructions are further configured to instruct the at least one processor to compare the first signing identifier to a signing key, of the known source, in a registry of known signing keys.
  - 22. The system of claim 21, wherein the registry comprises a plurality of package identifiers, each identifier associated with a respective one of the known signing keys, and wherein the instructions are further configured to instruct the at least one processor to compare a first package identifier of the first application to the plurality of package identifiers.

14. A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a computing system to:
- receive, over a communication network from a second computing device, a known signing identifier of a known source;
  
  store component data for at least one known component of the known source;
  
  receive, from a first computing device, a first signing identifier for a first application to be installed on the first computing device, wherein a third computing device provides the first application for installation on the first computing device;
  
  challenge the known source to authenticate itself, the challenge comprising sending data to the second computing device to be signed with a private key, receiving the signed data from the second computing device, and confirming the signed data corresponds to the known signing identifier;
  
  in response to confirming the signed data corresponds to the known signing identifier;
  
  identify a first plurality of applications that are each similar to the first application and are each signed with a signing identifier that is different from the known signing identifier, wherein the identifying comprises making a comparison between a characteristic of the component data and a characteristic that has been identified in the first application, and determining that each of the first plurality of applications uses the at least one known component of the known source;
  
  evaluate authenticity of the first application to provide a result, the evaluating comprising determining that the at least one known component is similar to at least one first component of the first application, the similarity based on comparing a structural characteristic of the at least one first component to the component data for the at least one known component, and determining that the first signing identifier is different from the known signing identifier, wherein the evaluating is further based on a plurality of inputs comprising a history of prior usage of the first signing identifier to sign a known bad application other than the first application; and
  
  in response to the result, sending, over the communication network, at least one electronic communication to the first computing device to block installation of the first application on the first computing device, and sending at least one communication to the second computing device regarding usage of the at least one known component in the first application, wherein the at least one communication further identifies the first plurality of applications.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The non-transitory computer-readable storage medium of claim 14, wherein the result from the evaluating is a score, and the sending the at least one electronic communication is based on a comparison of the score to a threshold.
  - 24. The non-transitory computer-readable storage medium of claim 14, wherein the evaluating authenticity of the first application further comprises identifying at least one known application having at least one of an identical package identifier, code similarity, identical strings, similar strings, identical media assets, or similar media assets.
  - 25. The non-transitory computer-readable storage medium of claim 14, wherein the computer-readable instructions further cause the computing system to build or update a data set about the first application, and the evaluating further comprises using the data set.
  - 26. The non-transitory computer-readable storage medium of claim 14, wherein the computer-readable instructions further cause the computing system to:
    - compare the first signing identifier to a signing key, of the known source, in a registry of known signing keys, wherein the registry comprises a plurality of package identifiers, each identifier associated with a respective one of the known signing keys; and
      
      compare a first package identifier of the first application to the plurality of package identifiers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Wyatt, Timothy Micheal, Evans, Daniel Lee, Ong, Emil Barker, Strazzere, Timothy, LaMantia, Matthew John Joseph, Buck, Brian James
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/105,950
Publication Number

US 20150172057A1
Time in Patent Office

1,943 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 8/60   Software deployment

G06F 8/70   Software maintenance or man...

G06Q 30/0241   Advertisements

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 9/3247   involving digital signatures

Assessing application authenticity and performing an action in response to an evaluation result

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Assessing application authenticity and performing an action in response to an evaluation result

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links