METHOD AND APPARATUS FOR PROVIDING A SECURE VIRTUAL ENVIRONMENT ON A MOBILE DEVICE

US 20130042295A1
Filed: 08/10/2011
Published: 02/14/2013
Est. Priority Date: 08/10/2011
Status: Active Grant

First Claim

Patent Images

1. A method for handling data on a mobile device, comprising:

enabling access to a secure virtual environment on the mobile device, the secure virtual environment configured with a security policy;

enabling only trusted applications to operate within the secure virtual environment according to the security policy;

presenting a user interface with only the trusted applications;

enabling a user to manipulate data with a trusted application in the secure virtual environment;

encrypting manipulated data with the secure virtual environment before data exits the secure virtual environment; and

storing encrypted data according to the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices provide a secure virtual environment within a mobile device for processing documents and conducting secure activities. The methods and devices create a secure application environment in which secure data and documents may be segregated from unsecured data using document encryption, allowing the application of security policies to only the secure application environment. The creation of a secure application environment allows users to access and manipulate secure data on any mobile device, not just specifically designated secure devices, without having to secure all data on the mobile device, while providing the corporate entity with necessary document security. The methods and devices provide for securing data on a mobile device at the data level using encryption.

111 Citations

76 Claims

1. A method for handling data on a mobile device, comprising:
- enabling access to a secure virtual environment on the mobile device, the secure virtual environment configured with a security policy;
  
  enabling only trusted applications to operate within the secure virtual environment according to the security policy;
  
  presenting a user interface with only the trusted applications;
  
  enabling a user to manipulate data with a trusted application in the secure virtual environment;
  
  encrypting manipulated data with the secure virtual environment before data exits the secure virtual environment; and
  
  storing encrypted data according to the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising:
    - receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 3. The method of claim 1, further comprising:
    - receiving data;
      
      determining if the data is trusted data;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data and is of a type allowed by the security policy.
  - 4. The method of claim 1, further comprising:
    - receiving data;
      
      determining if the data is encrypted;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input;
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment;
      
      decrypting a data header with the secure virtual environment;
      
      determining if the data is trusted data according to the data header;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data of a type allowed by the security policy.
  - 5. The method of claim 1, further comprising;
    - receiving an application;
      
      using an application program interface (API)/broker to determine if the application is a trusted application;
      
      determining if the application is allowed by the security policy; and
      
      storing the application if it is a trusted application and allowed by the security policy.
  - 6. The method of claim 1, wherein the security policy includes one or more of:
    - a list of applications allowed to operate in the secure virtual environment;
      
      a list of application types allowed to operate in the secure virtual environment;
      
      data manipulation restrictions in the secure virtual environment; and
      
      data storage restrictions in the secure virtual environment.
  - 7. The method of claim 1, further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning an unsecure memory of the mobile device to identify trusted applications stored on the unsecure memory;
      
      determining if any trusted applications stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted applications stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 8. The method of claim 1, further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of allowed applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning a secure memory of the mobile device to identify applications un-allowed by the security policy; and
      
      deleting any identified un-allowed applications.
  - 9. The method of claim 1, further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning an unsecure memory of the mobile device to identify trusted data types stored on the unsecure memory;
      
      determining if any trusted data types stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted data types stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 10. The method of claim 1, further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning a secure memory of the mobile device to identify data types un-allowed by the security policy; and
      
      deleting any identified un-allowed data types.
  - 11. The method of claim 1, wherein storing encrypted data according to the security policy comprises storing encrypted data in a secure portion of memory on the mobile device.
  - 12. The method of claim 1, further comprising:
    - receiving a catalog command;
      
      generating a catalog report using the secure virtual environment in response to the catalog command, the catalog report containing information about the contents of a secure memory.
  - 13. The method of claim 12, further comprising:
    - locking the secure virtual environment in response to the catalog command;
      
      copying the contents of the secure memory in response to the catalog command; and
      
      transmitting a copy of the contents of a secure memory to a server.
  - 14. The method of claim 1, further comprising:
    - receiving a delete command;
      
      using the secure virtual environment to erase secure data on the mobile device in response to the delete command; and
      
      locking the secure virtual environment in response to the delete command.
  - 15. The method of claim 2, further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing a key or code known only to the secure virtual environment and the network server used to indicate the user has been authenticated.
  - 16. The method of claim 2, further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing at least a portion of the user authentication input.
  - 17. The method of claim 1, further comprising:
    - establishing in the secure virtual environment a secure data link between the mobile device and a server over a network; and
      
      decrypting and encrypting data transmitted over the secure data link with the secure virtual environment.
  - 18. The method of claim 1, further comprising:
    - activating the secure virtual environment at startup of the mobile device;
      
      running the secure virtual environment in the background of the mobile device;
      
      receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 19. The method of claim 1, further comprising:
    - receiving a user input to activate a trusted application in the secure virtual environment;
      
      receiving a user authentication request from the trusted application; and
      
      providing user authentication information from the secure virtual environment to the trusted application.

20. A mobile device, comprising:
- a memory; and
  
  a processor coupled to the memory, wherein the processor is configured with processor-executable instructions to perform operations comprising;
  
  enabling access to a secure virtual environment on the mobile device, the secure virtual environment configured with a security policy;
  
  enabling only trusted applications to operate within the secure virtual environment according to the security policy;
  
  presenting a user interface with only the trusted applications;
  
  enabling a user to manipulate data with a trusted application in the secure virtual environment;
  
  encrypting manipulated data with the secure virtual environment before data exits the secure virtual environment; and
  
  storing encrypted data in the memory according to the security policy.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 22. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving data;
      
      determining if the data is trusted data;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data and is of a type allowed by the security policy.
  - 23. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving data;
      
      determining if the data is encrypted;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input;
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment;
      
      decrypting a data header with the secure virtual environment;
      
      determining if the data is trusted data according to the data header;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data of a type allowed by the security policy.
  - 24. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising;
    - receiving an application;
      
      using an application program interface (API)/broker to determine if the application is a trusted application;
      
      determining if the application is allowed by the security policy; and
      
      storing the application if it is a trusted application and allowed by the security policy.
  - 25. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations such that the security policy includes one or more of:
    - a list of applications allowed to operate in the secure virtual environment;
      
      a list of application types allowed to operate in the secure virtual environment;
      
      data manipulation restrictions in the secure virtual environment; and
      
      data storage restrictions in the secure virtual environment.
  - 26. The mobile device of claim 20, wherein the memory comprises an unsecure memory and a secure memory, and wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning the unsecure memory of the mobile device to identify trusted applications stored on the unsecure memory;
      
      determining if any trusted applications stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted applications stored on the unsecure memory and determined to be allowed by the security policy to the secure memory.
  - 27. The mobile device of claim 20, wherein the memory comprises an unsecure memory and a secure memory, and wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of allowed applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning the secure memory of the mobile device to identify applications un-allowed by the security policy; and
      
      deleting any identified un-allowed applications.
  - 28. The mobile device of claim 20, wherein the memory comprises an unsecure memory and a secure memory, and wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning the unsecure memory of the mobile device to identify trusted data types stored on the unsecure memory;
      
      determining if any trusted data types stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted data types stored on the unsecure memory and determined to be allowed by the security policy to the secure memory.
  - 29. The mobile device of claim 20, wherein the memory comprises an unsecure memory and a secure memory, and wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning the secure memory of the mobile device to identify data types un-allowed by the security policy; and
      
      deleting any identified un-allowed data types.
  - 30. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations such that storing encrypted data according to the security policy comprises storing encrypted data in a secure portion of the memory on the mobile device.
  - 31. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a catalog command;
      
      generating a catalog report using the secure virtual environment in response to the catalog command, the catalog report containing information about the contents of a secure memory.
  - 32. The mobile device of claim 31, wherein the memory comprises a secure memory, and wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - locking the secure virtual environment in response to the catalog command;
      
      copying the contents of the secure memory in response to the catalog command; and
      
      transmitting a copy of the contents of the secure memory to a server.
  - 33. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a delete command;
      
      using the secure virtual environment to erase secure data on the mobile device in response to the delete command; and
      
      locking the secure virtual environment in response to the delete command.
  - 34. The mobile device of claim 21, further comprising a transceiver coupled to the processor and configured to enable the processor to communicate with a network, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing a key or code known only to the secure virtual environment and the network server used to indicate the user has been authenticated.
  - 35. The mobile device of claim 21, further comprising a transceiver coupled to the processor and configured to enable the processor to communicate with a network, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing at least a portion of the user authentication input.
  - 36. The mobile device of claim 20, further comprising a transceiver coupled to the processor and configured to enable the processor to communicate with a network, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - establishing in the secure virtual environment a secure data link between the mobile device and a server over a network; and
      
      decrypting and encrypting data transmitted over the secure data link with the secure virtual environment.
  - 37. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - activating the secure virtual environment at startup of the mobile device;
      
      running the secure virtual environment in the background of the mobile device;
      
      receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 38. The mobile device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations further comprising:
    - receiving a user input to activate a trusted application in the secure virtual environment;
      
      receiving a user authentication request from the trusted application; and
      
      providing user authentication information from the secure virtual environment to the trusted application.

39. A mobile device, comprising:
- means for means for enabling access to a secure virtual environment on the mobile device, the secure virtual environment configured with a security policy;
  
  means for enabling only trusted applications to operate within the secure virtual environment according to the security policy;
  
  means for presenting a user interface with only the trusted applications;
  
  means for enabling a user to manipulate data with a trusted application in the secure virtual environment;
  
  means for encrypting manipulated data with the secure virtual environment before data exits the secure virtual environment; and
  
  means for storing encrypted data according to the security policy.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 40. The mobile device of claim 39, further comprising:
    - means for receiving a selection of the secure virtual environment from a mobile device user;
      
      means for prompting the user for an authentication input;
      
      means for receiving the user authentication input; and
      
      means for verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 41. The mobile device of claim 39, further comprising:
    - means for receiving data;
      
      means for determining if the data is trusted data;
      
      means for determining if the data is of a type allowed by the security policy; and
      
      means for decrypting the data with the secure virtual environment if the data is trusted data and is of a type allowed by the security policy.
  - 42. The mobile device of claim 39, further comprising:
    - means for receiving data;
      
      means for determining if the data is encrypted;
      
      means for prompting the user for an authentication input;
      
      means for receiving the user authentication input;
      
      means for verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment;
      
      means for decrypting a data header with the secure virtual environment;
      
      means for determining if the data is trusted data according to the data header;
      
      means for determining if the data is of a type allowed by the security policy; and
      
      means for decrypting the data with the secure virtual environment if the data is trusted data of a type allowed by the security policy.
  - 43. The mobile device of claim 39, further comprising;
    - means for receiving an application;
      
      means for using an application program interface (API)/broker to determine if the application is a trusted application;
      
      means for determining if the application is allowed by the security policy; and
      
      means for storing the application if it is a trusted application and allowed by the security policy.
  - 44. The mobile device of claim 39, wherein the security policy includes one or more of:
    - a list of applications allowed to operate in the secure virtual environment;
      
      a list of application types allowed to operate in the secure virtual environment;
      
      data manipulation restrictions in the secure virtual environment; and
      
      data storage restrictions in the secure virtual environment.
  - 45. The mobile device of claim 39, further comprising:
    - means for receiving a security policy update, the security policy update containing an update to a list of trusted applications;
      
      means for using the security policy update to update the security policy of the secure virtual environment;
      
      means for scanning an unsecure memory of the mobile device to identify trusted applications stored on the unsecure memory;
      
      means for determining if any trusted applications stored on the unsecure memory are allowed by the security policy; and
      
      means for moving trusted applications stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 46. The mobile device of claim 39, further comprising:
    - means for receiving a security policy update, the security policy update containing an update to a list of allowed applications;
      
      means for using the security policy update to update the security policy of the secure virtual environment;
      
      means for scanning a secure memory of the mobile device to identify applications un-allowed by the security policy; and
      
      means for deleting any identified un-allowed applications.
  - 47. The mobile device of claim 39, further comprising:
    - means for receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      means for using the security policy update to update the security policy of the secure virtual environment;
      
      means for scanning an unsecure memory of the mobile device to identify trusted data types stored on the unsecure memory;
      
      means for determining if any trusted data types stored on the unsecure memory are allowed by the security policy; and
      
      means for moving trusted data types stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 48. The mobile device of claim 39, further comprising:
    - means for receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      means for using the security policy update to update the security policy of the secure virtual environment;
      
      means for scanning a secure memory of the mobile device to identify data types un-allowed by the security policy; and
      
      means for deleting any identified un-allowed data types.
  - 49. The mobile device of claim 39, wherein means for storing encrypted data according to the security policy comprises means for storing encrypted data in a secure portion of the memory on the mobile device.
  - 50. The mobile device of claim 39, further comprising:
    - means for receiving a catalog command;
      
      means for generating a catalog report using the secure virtual environment in response to the catalog command, the catalog report containing information about the contents of a secure memory.
  - 51. The mobile device of claim 50, further comprising:
    - means for locking the secure virtual environment in response to the catalog command;
      
      means for copying the contents of a secure memory in response to the catalog command; and
      
      means for transmitting a copy of the contents of the secure memory to a server.
  - 52. The mobile device of claim 39, further comprising:
    - means for receiving a delete command;
      
      means for using the secure virtual environment to erase secure data on the mobile device in response to the delete command; and
      
      means for locking the secure virtual environment in response to the delete command.
  - 53. The mobile device of claim 40, further comprising:
    - means for receiving a user input to select a network based application;
      
      means for receiving a network access request from a network server; and
      
      means for sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing a key or code known only to the secure virtual environment and the network server used to indicate the user has been authenticated.
  - 54. The mobile device of claim 40, further comprising:
    - means for receiving a user input to select a network based application;
      
      means for receiving a network access request from a network server; and
      
      means for sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing at least a portion of the user authentication input.
  - 55. The mobile device of claim 39, further comprising:
    - means for establishing in the secure virtual environment a secure data link between the mobile device and a server over a network; and
      
      means for decrypting and encrypting data transmitted over the secure data link with the secure virtual environment.
  - 56. The mobile device of claim 39, further comprising:
    - means for activating the secure virtual environment at startup of the mobile device;
      
      means for running the secure virtual environment in the background of the mobile device;
      
      means for means for receiving a selection of the secure virtual environment from a mobile device user;
      
      means for prompting the user for authentication input;
      
      means for receiving the user authentication input; and
      
      means for verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 57. The mobile device of claim 39, further comprising:
    - means for receiving a user input to activate a trusted application in the secure virtual environment;
      
      means for receiving a user authentication request from the trusted application; and
      
      means for providing user authentication information from the secure virtual environment to the trusted application.

58. A non-transitory processor-readable medium having stored thereon processor-executable instructions configured to cause a mobile device processor to perform operations comprising:
- enabling access to a secure virtual environment on the mobile device, the secure virtual environment configured with a security policy;
  
  enabling only trusted applications to operate within the secure virtual environment according to the security policy;
  
  presenting a user interface with only the trusted applications;
  
  enabling a user to manipulate data with a trusted application in the secure virtual environment;
  
  encrypting manipulated data with the secure virtual environment before data exits the secure virtual environment; and
  
  storing encrypted data in memory according to the security policy.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
- - 59. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 60. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving data;
      
      determining if the data is trusted data;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data and is of a type allowed by the security policy.
  - 61. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving data;
      
      determining if the data is encrypted;
      
      prompting the user for an authentication input;
      
      receiving the user authentication input;
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment;
      
      decrypting a data header with the secure virtual environment;
      
      determining if the data is trusted data according to the data header;
      
      determining if the data is of a type allowed by the security policy; and
      
      decrypting the data with the secure virtual environment if the data is trusted data of a type allowed by the security policy.
  - 62. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising;
    - receiving an application;
      
      using an application program interface (API)/broker to determine if the application is a trusted application;
      
      determining if the application is allowed by the security policy; and
      
      storing the application if it is a trusted application and allowed by the security policy.
  - 63. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations such that the security policy includes one or more of:
    - a list of applications allowed to operate in the secure virtual environment;
      
      a list of application types allowed to operate in the secure virtual environment;
      
      data manipulation restrictions in the secure virtual environment; and
      
      data storage restrictions in the secure virtual environment.
  - 64. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning an unsecure memory of the mobile device to identify trusted applications stored on the unsecure memory;
      
      determining if any trusted applications stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted applications stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 65. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of allowed applications;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning a secure memory of the mobile device to identify applications un-allowed by the security policy; and
      
      deleting any identified un-allowed applications.
  - 66. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning an unsecure memory of the mobile device to identify trusted data types stored on the unsecure memory;
      
      determining if any trusted data types stored on the unsecure memory are allowed by the security policy; and
      
      moving trusted data types stored on the unsecure memory and determined to be allowed by the security policy to a secure memory.
  - 67. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a security policy update, the security policy update containing an update to a list of trusted data types;
      
      using the security policy update to update the security policy of the secure virtual environment;
      
      scanning a secure memory of the mobile device to identify data types un-allowed by the security policy; and
      
      deleting any identified un-allowed data types.
  - 68. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations such that storing encrypted data according to the security policy comprises storing encrypted data in a secure portion of the memory on the mobile device.
  - 69. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a catalog command;
      
      generating a catalog report using the secure virtual environment in response to the catalog command, the catalog report containing information about the contents of a secure memory.
  - 70. The non-transitory processor-readable medium of claim 69, wherein the memory comprises a secure memory, and the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - locking the secure virtual environment in response to the catalog command;
      
      copying the contents of a secure memory in response to the catalog command; and
      
      transmitting a copy of the contents of the secure memory to a server.
  - 71. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a delete command;
      
      using the secure virtual environment to erase secure data on the mobile device in response to the delete command; and
      
      locking the secure virtual environment in response to the delete command.
  - 72. The non-transitory processor-readable medium of claim 59, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing a key or code known only to the secure virtual environment and the network server used to indicate the user has been authenticated.
  - 73. The non-transitory processor-readable medium of claim 59, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a user input to select a network based application;
      
      receiving a network access request from a network server; and
      
      sending a user authentication package from the secure virtual environment to the network server, the user authentication package containing at least a portion of the user authentication input.
  - 74. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - establishing in the secure virtual environment a secure data link between the mobile device and a server over a network; and
      
      decrypting and encrypting data transmitted over the secure data link with the secure virtual environment.
  - 75. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - activating the secure virtual environment at startup of the mobile device;
      
      running the secure virtual environment in the background of the mobile device;
      
      receiving a selection of the secure virtual environment from a mobile device user;
      
      prompting the user for authentication input;
      
      receiving the user authentication input; and
      
      verifying the user based on the received user authentication input prior to enabling access to the secure virtual environment.
  - 76. The non-transitory processor-readable medium of claim 58, wherein the stored processor-executable instructions are configured to cause a mobile device processor to perform operations further comprising:
    - receiving a user input to activate a trusted application in the secure virtual environment;
      
      receiving a user authentication request from the trusted application; and
      
      providing user authentication information from the secure virtual environment to the trusted application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Charles C. Kelly
Inventors
KELLY, Charles C., DAVIS, Joshua R.

Granted Patent

US 8,949,929 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04W 12/02   Protecting privacy or anony...

H04W 12/08   Access security

H04W 12/082   using revocation of authori...

H04W 12/35   Protecting application or s...

H04W 12/37   Managing security policies ...

METHOD AND APPARATUS FOR PROVIDING A SECURE VIRTUAL ENVIRONMENT ON A MOBILE DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

111 Citations

76 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR PROVIDING A SECURE VIRTUAL ENVIRONMENT ON A MOBILE DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

76 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links