Secure app-to-app communication

US 10,284,369 B2
Filed: 06/30/2017
Issued: 05/07/2019
Est. Priority Date: 03/01/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing, from a first mobile application of a mobile device to a second mobile application of the mobile device via a first uniform resource locator (URL), information that includes a first encryption information associated with the first mobile application of the mobile device, an identifier of a shared storage location, and a first mobile application identifier, wherein the first mobile application is a management agent associated with a management server and the second mobile application is a managed application, wherein the second mobile application is configured to validate the first mobile application based in part on the information, wherein in response to validating the first mobile application, the second mobile application is configured to provide second encryption information to the first mobile application via a second URL and a message indicating the second encryption information has been sent via the second URL to the shared storage location;

receiving, at the first mobile application of the mobile device from the second mobile application of the mobile device via the second URL, the second encryption information associated with the second mobile application of the mobile device;

validating, by the first application, an identity of the second mobile application based in part on a payload of the second URL;

generating a shared encryption key based at least in part on the first encryption information and the second encryption information; and

using the shared encryption key to encrypt data to be transferred from the first mobile application of the mobile device to the second mobile application of the mobile device via the shared storage location, wherein the management server is configured to manage the second mobile application via the encrypted data provided by the first mobile application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure application-to-application communication is disclosed. A shared encryption key may be used to encrypt data to be transferred from a first mobile application to a second mobile application. The encrypted data is provided to a shared storage location. The second mobile application is configured to retrieve the encrypted data from the shared storage location.

39 Citations

View as Search Results

25 Claims

1. A method, comprising:
- providing, from a first mobile application of a mobile device to a second mobile application of the mobile device via a first uniform resource locator (URL), information that includes a first encryption information associated with the first mobile application of the mobile device, an identifier of a shared storage location, and a first mobile application identifier, wherein the first mobile application is a management agent associated with a management server and the second mobile application is a managed application, wherein the second mobile application is configured to validate the first mobile application based in part on the information, wherein in response to validating the first mobile application, the second mobile application is configured to provide second encryption information to the first mobile application via a second URL and a message indicating the second encryption information has been sent via the second URL to the shared storage location;
  
  receiving, at the first mobile application of the mobile device from the second mobile application of the mobile device via the second URL, the second encryption information associated with the second mobile application of the mobile device;
  
  validating, by the first application, an identity of the second mobile application based in part on a payload of the second URL;
  
  generating a shared encryption key based at least in part on the first encryption information and the second encryption information; and
  
  using the shared encryption key to encrypt data to be transferred from the first mobile application of the mobile device to the second mobile application of the mobile device via the shared storage location, wherein the management server is configured to manage the second mobile application via the encrypted data provided by the first mobile application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein using the shared encryption key to encrypt the data comprises:
    - encrypting the data using the shared encryption key in a symmetric key encryption operation.
  - 3. The method of claim 1, wherein generating the shared encryption key comprises combining the first encryption information and second encryption information.
  - 4. The method of claim 3, wherein combining comprises combining the first encryption information and second encryption information using a binary XOR operation.
  - 5. The method of claim 1, wherein receiving the second encryption information associated with the second mobile application includes:
    - receiving a request to open the second URL including the second encryption information;
      
      verifying that a source associated with the second URL includes the second mobile application; and
      
      processing the second URL to retrieve the second encryption information.
  - 6. The method of claim 1, further comprising:
    - storing one or more of the first encryption information, the second encryption information, and the shared encryption key at a secure storage location.
  - 7. The method of claim 1, wherein the first encryption information and second encryption information include public keys used in one or more of a Diffie-Hellman key exchange and an elliptic curve Diffie-Hellman key exchange.
  - 8. The method of claim 1, wherein the providing of the first encryption information associated with the first mobile application, receiving of the second encryption information associated with the second mobile application, and generating the shared encryption key steps comprise one or more of a Diffie-Hellman key exchange and an elliptic curve Diffie-Hellman key exchange.
  - 9. The method of claim 1, further comprising:
    - determining that an encryption key expiration event has occurred; and
      
      initiating an encryption information exchange operation.
  - 10. The method of claim 1, wherein the shared storage location comprises a named pasteboard, andwherein the named pasteboard is associated with an identifier.
  - 11. The method of claim 1, further comprising, providing an identifier useable to retrieve data from the shared storage location, wherein providing the identifier comprises:
    - using the shared encryption key to encrypt the identifier; and
      
      transferring the encrypted identifier from the first mobile application to the second mobile application.
  - 12. The method of claim 1, further comprising:
    - retrieving the encrypted data from the shared storage location at the second mobile application; and
      
      using the shared encryption key to decrypt the encrypted data.
  - 13. The method of claim 1, further comprising receiving the data at the first mobile application comprising a hub application.
  - 14. The method of claim 13, further comprising:
    - using a second shared encryption key to encrypt second data to be transferred from the first mobile application to a third mobile application; and
      
      providing the encrypted second data to a second shared storage location, wherein the third mobile application is configured to retrieve the encrypted second data from the second shared storage location.
  - 15. The method of claim 1, whereinusing the shared encryption information includes using the shared encryption key to encrypt data to be transferred from the first mobile application to a plurality of applications;
    - andproviding the encrypted data to be transferred from the first mobile application to a plurality of applications, wherein providing the encrypted data to be transferred from the first mobile application to a plurality of applications includes providing the encrypted data to be transferred from the first mobile application to a plurality of applications to a shared storage location accessible to the plurality of applications, wherein at least one application in the plurality of applications is configured to retrieve the encrypted data.
  - 16. The method of claim 1, wherein the identifier comprises a random name generated by the first mobile application.
  - 17. The method of claim 1, wherein the shared storage location comprises a named pasteboard, andwherein the shared storage location is generated at least in part by invoking a pasteboard generation class method.
  - 18. The method of claim 1, further comprising:
    - validating, by the second mobile application, the first mobile application; and
      
      in response to validating the first mobile application, retrieving, by the second mobile application, the encrypted data from the shared storage location.
  - 19. The method of claim 1, wherein at least one credential associated with the first mobile application is provided in addition to the first encryption information to the second mobile application.
  - 20. The method of claim 19, wherein the at least one credential associated with the first mobile application includes a signature of an identifier associated with the first mobile application.
  - 21. The method of claim 1, wherein the second encryption information includes at least one credential associated with the second mobile application.
  - 22. The method of claim 1, wherein the providing includes providing the first encryption information to the second mobile application using a URL scheme associated with the second mobile application.

23. A system, comprising:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  provide, from a first mobile application of the system to a second mobile application of the system via a first uniform resource locator (URL), information that includes a first encryption information associated with the first mobile application of the mobile device, an identifier of a shared storage location, and a first mobile application identifier, wherein the first mobile application is a management agent associated with a management server and the second mobile application is a managed application, wherein the second mobile application is configured to validate the first mobile application based in part on the information, wherein in response to validating the first mobile application, the second mobile application is configured to provide second encryption information to the first mobile application via a second URL and a message indicating the second encryption information has been sent via the second URL to the shared storage location;
  
  receive, at the first mobile application of the mobile device from the second mobile application of the mobile device via the second URL, the second encryption information associated with the second mobile application of the mobile device;
  
  validate, by the first application, an identity of the second mobile application based in part on a payload of the second URL;
  
  generate a shared encryption key based at least in part on the first encryption information and the second encryption information; and
  
  use the shared encryption key to encrypt data to be transferred from the first mobile application of the mobile device to the second mobile application of the mobile device via the shared storage location, wherein the management server is configured to manage the second mobile application via the encrypted data provided by the first mobile application.
- View Dependent Claims (24)
- - 24. The system of claim 23, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - encrypt the data using the shared encryption key in a symmetric key encryption operation.

25. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- providing, from a first mobile application of a mobile device to a second mobile application of the mobile device via a first uniform resource locator (URL), information that includes a first encryption information associated with the first mobile application of the mobile device, an identifier of a shared storage location, and a first mobile application identifier, wherein the first mobile application is a management agent associated with a management server and the second mobile application is a managed application, wherein the second mobile application is configured to validate the first mobile application based in part on the information, wherein in response to validating the first mobile application, the second mobile application is configured to provide second encryption information to the first mobile application via a second URL and a message indicating the second encryption information has been sent via the second URL to the shared storage location;
  
  receiving, at the first mobile application of the mobile device from the second mobile application of the mobile device via the second URL, the second encryption information associated with the second mobile application of the mobile device;
  
  validating, by the first application, an identity of the second mobile application based in part on a payload of the second URL;
  
  generating a shared encryption key based at least in part on the first encryption information and the second encryption information; and
  
  using the shared encryption key to encrypt data to be transferred from the first mobile application to the second mobile application of the mobile device via the shared storage location, wherein the management server is configured to manage the second mobile application via the encrypted data provided by the first mobile application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Wagner, Thomas Edward, Whiteman, Robert Elliott
Primary Examiner(s)
Do, Khang

Application Number

US15/639,012
Publication Number

US 20170302449A1
Time in Patent Office

676 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/30   Public key, i.e. encryption...

H04W 4/00   Services specially adapted ...

Secure app-to-app communication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Secure app-to-app communication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others