Application security analysis

US 10,623,435 B2
Filed: 08/14/2018
Issued: 04/14/2020
Est. Priority Date: 10/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

evaluating each of a plurality of applications for account takeover behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system, the evaluating comprising;

performing an analysis of each of the plurality of applications for account takeover behavior, the account takeover behavior including accessing an account of another user, the another user being different from a user of the mobile device;

based on the analysis, calculating a score for each of the plurality of applications;

determining whether each of the plurality of applications meets or exceeds a score threshold; and

automatically remediating each of the applications, of the plurality of applications, for which the score meets or exceeds the score threshold.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application security analysis including systems and methods for analyzing applications for risk is provided. In an example method, the applications reside on a mobile device configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising two or more of privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.

65 Citations

View as Search Results

19 Claims

1. A method, comprising:
- evaluating each of a plurality of applications for account takeover behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system, the evaluating comprising;
  
  performing an analysis of each of the plurality of applications for account takeover behavior, the account takeover behavior including accessing an account of another user, the another user being different from a user of the mobile device;
  
  based on the analysis, calculating a score for each of the plurality of applications;
  
  determining whether each of the plurality of applications meets or exceeds a score threshold; and
  
  automatically remediating each of the applications, of the plurality of applications, for which the score meets or exceeds the score threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the evaluating is performed on the mobile device.
  - 3. The method of claim 1, wherein the evaluating is performed in a sandbox.
  - 4. The method of claim 1, wherein the analysis comprises analyzing declared permissions of each of the plurality of applications in comparison with actual resources of the mobile device that are utilized by a respective application.
  - 5. The method of claim 1, wherein the analysis comprises executing each of the plurality of applications in a sandbox and further comprises analyzing application behavior for each of the plurality of applications over a period of time.
  - 6. The method of claim 1, wherein the analysis comprises executing each of the plurality of applications in a sandbox and monitoring input and output operations of the respective applications.
  - 7. The method of claim 1, wherein the calculating the score for each of the plurality of applications further comprises calculating a resource score that is indicative of a reputation of network resources utilized by each of the plurality of applications.
  - 8. The method of claim 7, wherein the calculating the score for each of the plurality of applications further comprises determining if the respective application encrypts data transmitted to the network resources.
  - 9. The method of claim 1, wherein the evaluating further comprises:
    - for the plurality of applications, grouping application behaviors that indicate an increased risk into groups comprising a privacy risk, a data leakage risk, a device takeover risk, an account takeover risk, and a malware risk.
  - 10. The method of claim 9, wherein the privacy risk for an application of the plurality of applications comprises a risk of any transmission of sensitive information regarding the user over a network;
    - wherein the data leakage risk for an application of the plurality of applications comprises any transmission of unencrypted data by the application, any connection to a file sharing service by the application, and any uploading of data to an untrusted service;
      
      wherein the device takeover risk for an application of the plurality of applications comprises a risk of a device takeover behavior for an application of the plurality of applications which comprises any transmission of hardware identification information by the application, a violation of a policy for accessing a restricted application programming interface (API), or a jailbreak or rooting attempt by the application;
      
      wherein the account takeover risk for an application of the plurality of applications comprises any transmission of authentication credentials to a network resource by the application, accessing an online account associated with the user of the mobile device in an unauthorized way, and/or accessing an online account not associated with the user of the mobile device or not authorized for the application; and
      
      wherein the malware risk for an application of the plurality of applications comprises any activity performed by the application that is indicative of malicious behavior by the application of a network resource accessed by the application.
  - 11. The method of claim 1, further comprising comparing each of the plurality of applications to a blacklist of applications, wherein, if at least one of the application and an application developer of the application is listed on the blacklist, the respective application is automatically remediated.
  - 12. The method of claim 1, wherein the account takeover behavior further includes:
    - unauthorized taking over of an account of the user by an application having at least one of unauthorized access to and unauthorized control of authentication credentials for a user account; and
      
      transmitting the authentication credentials to a network resource.
  - 13. The method of claim 12, wherein the unauthorized taking over an account of the user further comprises unauthorized transmitting of usernames and passwords for email access.
  - 14. The method of claim 1, wherein the account takeover behavior further includes:
    - unauthorized taking over an account of the user by an application initiating unauthorized access to an online account associated with the user of the mobile device.
  - 15. The method of claim 1, wherein the account takeover behavior further includes:
    - unauthorized taking over an account of the user by an application accessing an online account not authorized for the application.
  - 16. The method of claim 1, wherein the account takeover behavior further includes:
    - unauthorized taking over an account of the user by an application accessing a user'"'"'s account beyond an authorization of the user.
  - 17. The method of claim 16, wherein the unauthorized taking over an account of the user further comprises an application being authorized by the user to place an image file in a cloud file storage account and accessing other files in the cloud file storage account.

18. A system for mobile device management, comprising:
- one or more enterprise devices that provide enterprise services; and
  
  an application analysis system, comprising a processor that executes instructions stored in memory to;
  
  detect mobile devices attempting to access the enterprise services; and
  
  conduct an analysis of a plurality of applications residing on the mobile devices, the mobile devices being configurable to access an enterprise system, the analysis comprising;
  
  comparing the plurality of applications to a whitelist and blacklist;
  
  for each of the plurality of applications not on the whitelist or blacklist, evaluating each of the plurality of applications for account takeover behavior, the evaluating comprising performing an analysis of each of the plurality of applications for the account takeover behavior, the account takeover behavior including accessing an account of another user, the another user being different from a user of the mobile device;
  
  calculating a score for each of the plurality of applications based on the application behavior; and
  
  automatically remediating respective applications of the plurality of applications if the score calculated for the respective applications meets or exceeds a score threshold.

19. A non-transitory computer-readable storage medium having embodied thereon instructions, which, when executed by at least one processor, perform steps of a method, the method comprising:
- evaluating each of a plurality of applications for account takeover behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system, the evaluating comprising;
  
  performing an analysis of each of the plurality of applications for account takeover behavior, the account takeover behavior including accessing an account of another user, the another user being different from a user of the mobile device;
  
  based on the analysis, calculating a score for each of the plurality of applications;
  
  determining whether each of the plurality of applications meets or exceeds a score threshold; and
  
  automatically remediating the applications, of the plurality of applications, for which the score meets or exceeds the score threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Proofpoint Incorporated
Inventors
Jevans, David Alexander, Basandra, Suresh Kumar
Primary Examiner(s)
Vaughan, Michael R

Application Number

US16/103,144
Publication Number

US 20180359277A1
Time in Patent Office

609 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04W 12/37   Managing security policies ...

Application security analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Application security analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others