SECURE MOBILE BROWSER FOR PROTECTING ENTERPRISE DATA

US 20140007182A1
Filed: 10/10/2012
Published: 01/02/2014
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A mobile device comprising a user interface, a memory, and at least one processor configured to run applications stored on the memory, said mobile device comprising:

a web browser installed on the memory of the mobile device; and

an enterprise application installed on the memory of the mobile device, the enterprise application configured to respond to being run by launching the web browser and running within the web browser;

wherein the web browser is configured to regulate operation of the enterprise application in accordance with one or more enterprise policies.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

127 Citations

28 Claims

1. A mobile device comprising a user interface, a memory, and at least one processor configured to run applications stored on the memory, said mobile device comprising:
- a web browser installed on the memory of the mobile device; and
  
  an enterprise application installed on the memory of the mobile device, the enterprise application configured to respond to being run by launching the web browser and running within the web browser;
  
  wherein the web browser is configured to regulate operation of the enterprise application in accordance with one or more enterprise policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The mobile device of claim 1, wherein the web browser is configured to route communications from the mobile device to an enterprise resource through one or more computing devices configured as a proxy server to enable content filtering.
  - 3. The mobile device of claim 1, wherein the web browser is configured to communicate with an enterprise resource of an enterprise computing system via an application tunnel through a tunneling mediator of the enterprise computing system.
  - 4. The mobile device of claim 1, wherein the web browser is configured to cause data written by the enterprise application to the memory to be encrypted.
  - 5. The mobile device of claim 1, wherein the web browser is configured to validate access credentials provided by a user, via the user interface, prior to exposing functionalities of the enterprise application to the user.
  - 6. The mobile device of claim 5, wherein the access credentials comprise a passcode.
  - 7. The mobile device of claim 1, wherein the web browser is configured to:
    - receive or intercept a request sent by the enterprise application to a network resource;
      
      encapsulate at least a portion of the request within one or more headers of an encapsulation protocol; and
      
      send the encapsulated portion of the request to a tunneling mediator associated with the network resource, to establish a communication tunnel with the tunneling mediator.
  - 8. The mobile device of claim 7, wherein the enterprise application is configured to receive data via the user interface and generate a request to send the data to a network resource, and wherein the web browser is configured to:
    - respond to losing the network connection by caching at least a portion of the data that has not been sent to the tunneling mediator; and
      
      respond to regaining of the network connection by sending the cached data to the tunneling mediator via the regained network connection.
  - 9. The mobile device of claim 7, wherein the enterprise application is configured to generate a request to send first data to a network resource, and wherein the web browser is configured to:
    - compress the first data;
      
      send the compressed first data to the tunneling mediator via the communication tunnel;
      
      decompress second data received from the tunneling mediator via the communication tunnel; and
      
      provide the decompressed second data to the enterprise application.
  - 10. The mobile device of claim 1, wherein one or more enterprise policies are configured to restrict access of the enterprise application to a network resource when the mobile device is location in a defined geographical zone and/or when access to the network resource is requested during a defined time range.
  - 11. The mobile device of claim 1, wherein the one or more enterprise policies comprise one or more enterprise access rules defining conditions under which the mobile device is allowed to access an enterprise resource.
  - 12. The mobile device of claim 1, wherein the enterprise application is configured to respond to being run by launching the web browser and running within the web browser, based on at least one of a temporal condition, a location condition, a mobile device property, or a property of a user of the mobile device.
  - 13. The mobile device of claim 1, wherein the web browser is configured to:
    - receive one or more data values of one or more state metrics associated with the mobile device;
      
      detect an instance of a problem associated with the mobile device, at least in-part, by using a machine-readable logic rule to analyze the received one or more data values; and
      
      execute a machine-readable remedial action for countering the detected problem instance.

14. A non-transitory computer-readable medium having computer-readable instructions stored thereon that, when executed, cause a mobile device to perform operations comprising:
- responding to a request, received via a user interface of the mobile device, to run a software application installed on the mobile device by invoking a web browser and running the software application within the web browser, said web browser being configured to access an information resource via a network; and
  
  controlling operation of the software application, via the web browser, in accordance with one or more enterprise policies to protect enterprise data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable medium of claim 14, wherein said invoking the web browser and running the software application within the web browser are substantially transparent to a user of the mobile computing device.
  - 16. The non-transitory computer-readable medium of claim 14, wherein controlling operation of the software application comprises sending a communication between the software application and an enterprise resource via an application tunnel.
  - 17. The non-transitory computer-readable medium of claim 14, wherein controlling operation of the software application comprises routing communications from the software application to an enterprise resource through one or more computing devices configured as a proxy server to enable content filtering.
  - 18. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise causing encryption, via the web browser, of data written by the software application to storage of the mobile device.
  - 19. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise the web browser prompting a user to enter a passcode and verifying the passcode prior to running the software application.
  - 20. The non-transitory computer-readable medium of claim 14, wherein controlling operation of the software application comprises regulating access of the mobile device to an enterprise resource based on comparing a condition associated with the mobile device to a value of the condition in an enterprise access rule stored on the non-transitory computer-readable medium.
  - 21. The non-transitory computer-readable medium of claim 14, wherein the operations further comprise:
    - sending a request to a server for an information resource based on information indicative of a uniform resource locator (URL) received by the user interface;
      
      receiving the information resource from the server; and
      
      making the information resource available via the user interface of the mobile device.

22. A non-transitory computer-readable medium comprising executable instructions stored thereon that are configured to implement a secure browser, said secure browser configured to at least:
- run on a mobile device of an enterprise user; and
  
  control execution of at least one enterprise application configured to run within the secure browser so as to enforce at least one enterprise security policy to protect enterprise data, wherein the at least one enterprise application is stored on the mobile device.
- View Dependent Claims (23)
- - 23. The computer-readable medium of claim 22, wherein the secure browser is configured control execution of the at least one enterprise application by one or more of:
    - communicating with an enterprise resource of an enterprise computing system via an application tunnel through a tunneling mediator of the enterprise computing system, said application tunnel using protocol encapsulation to send data over a network;
      
      routing communications from the at least one enterprise application to an external computing device through one or more computing devices configured as a proxy server to perform content filtering; and
      
      regulating access of the mobile device to the at least one enterprise resource based on comparing a condition associated with the mobile device to a value of the condition in one or more enterprise access rules.

26. A mobile device comprising:
- non-transitory storage configured to store a first application and a second application, the first application comprising executable instructions to automatically cause the mobile device to launch the second application in response to the first application being executed, the second application comprising executable instructions to run the first application within the second application, and the second application further comprising executable instructions to implement one or more enterprise access policies to regulate access to at least one enterprise resource; and
  
  at least one processor in communication with the non-transitory storage, the at least one processor configured to run the first application and the second application.
- View Dependent Claims (24, 25, 27, 28)
- - 24. The mobile device of claim 26, wherein the secure browser is configured to cause encryption of data written by the at least one enterprise application to the mobile device.
  - 25. The mobile device of claim 26, wherein the secure browser is configured to verify a passcode provided by a user prior to exposing functionality of the at least one enterprise application to the user.
  - 27. The mobile device of claim 26, wherein the executable instructions to implement one or more enterprise access policies are configured to cause the second application to perform one or more of:
    - communicate with the enterprise resource via an application tunnel through a tunneling mediator of an enterprise computing system, the enterprise computing system comprising the one or more enterprise resources;
      
      route communications from the mobile device to the at least one enterprise resource through one or more computing devices configured as a proxy server to perform content filtering; and
      
      regulate access of the mobile device to the at least one enterprise resource based on comparing a condition associated with the mobile device to a value of the condition in one or more enterprise access rules stored on the non-transitory computer-readable storage.
  - 28. The mobile device of claim 26, wherein the executable instructions to implement one or more enterprise access policies are configured to cause the second application to cause encryption of data written by the first application to the non-transitory storage, and to verify access credentials provided by a user prior to exposing functionality of the first application to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Zenprise, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, Roach, Kelly Brian, McGinty, John M., Andre, Olivier, Abdullah, Shafaq, DeBenning, Thomas H., Datoo, Ahmed

Granted Patent

US 8,869,235 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

SECURE MOBILE BROWSER FOR PROTECTING ENTERPRISE DATA

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

127 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE MOBILE BROWSER FOR PROTECTING ENTERPRISE DATA

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links