Validating the Identity of a Mobile Application for Mobile Application Management

US 20140298420A1
Filed: 05/20/2013
Published: 10/02/2014
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method of managing access to enterprise resources comprising:

operating an access manager at a mobile computing device;

validating a mobile application installed at the mobile computing device using the access manager;

preventing the mobile application from accessing computing resource upon unsuccessful validation of the mobile application by the access manager;

identifying the mobile application as a trusted mobile application upon successful validation of the mobile application by the access manager; and

permitting the trusted mobile application to access the computing resource.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing access to enterprise resources is provided. An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.

121 Citations

20 Claims

1. A method of managing access to enterprise resources comprising:
- operating an access manager at a mobile computing device;
  
  validating a mobile application installed at the mobile computing device using the access manager;
  
  preventing the mobile application from accessing computing resource upon unsuccessful validation of the mobile application by the access manager;
  
  identifying the mobile application as a trusted mobile application upon successful validation of the mobile application by the access manager; and
  
  permitting the trusted mobile application to access the computing resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising:
    - storing identification information associated with the mobile application at the mobile computing device; and
      
      wherein validating a mobile application includes validating the mobile application based on the stored identification information.
  - 3. The method of claim 2 wherein validating the mobile application further includes:
    - challenging the mobile application to provide a response that identifies the mobile application;
      
      generating an expected response based, at least in part, on the stored identification information;
      
      comparing the expected response to the response provided by the mobile application;
      
      determining the mobile application is valid when the expected response matches the response provided by the mobile application; and
      
      determining the mobile application is invalid when the expected response does not match the response provided by the mobile application.
  - 4. The method of claim 3 further comprising:
    - embedding identification tokens into the mobile application before the mobile application is installed at the mobile computing device;
      
      configuring the mobile application to extract the embedded identification tokens; and
      
      including the embedded identification tokens in the stored identification information such that the expected response is based, at least in part, on the embedded identification tokens; and
      
      wherein the response provided by the mobile application is based, at least in part, on the embedded identifications tokens extracted from the mobile application.
  - 5. The method of claim 4 wherein validating the mobile application further includes:
    - deriving one or more identification tokens from the mobile application using the access manager;
      
      generating an expected application signature based on an arrangement of the embedded identification tokens and the derived identification tokens; and
      
      generating the expected response further based, at least in part, on the expected application signature.
  - 6. The method of claim 5 wherein validating the mobile application further includes:
    - providing a nonce to the mobile application;
      
      computing an expected hash value using the expected application signature and the nonce; and
      
      wherein the expected response is the expected hash value.
  - 7. The method of claim 2 wherein the stored identification information is an original digital certificate generated for the mobile application upon creation of the mobile application.
  - 8. The method of claim 7 wherein validating the mobile application includes:
    - computing a first hash value based on the original digital certificate and a second hash value based on a digital certificate received from a mobile operating system of the mobile computing device;
      
      comparing the first hash value to the second hash value;
      
      determining the mobile application is valid when the first hash value matches the second hash value; and
      
      determining the mobile application is invalid when the first hash value does not match the second hash value.
  - 9. The method of claim 2 further comprising:
    - opening a Transmission Control Protocol (TCP) socket at the mobile computing device using the access manager;
      
      waiting for the mobile application to establish a connection with the access manager at the TCP socket; and
      
      wherein the access manager initiates validation of the mobile application when the mobile application establishes a connection with the access manager at the TCP socket.
  - 10. The method of claim 1 further comprising:
    - obtaining an application policy associated with the trusted mobile application;
      
      storing the application policy at the mobile computing device; and
      
      controlling operation of the trusted mobile application using the access manager and based on the application policy.

11. A mobile computing device comprising:
- a mobile application configured to access computing resource;
  
  stored identification information associated with the mobile application;
  
  an access manager configured to validate the mobile application based on the stored identification information; and
  
  wherein the access manager is further configured toprevent the mobile application from accessing the computing resource upon unsuccessful validation of the mobile application,identify the mobile application as a trusted mobile application upon successful validation of the mobile application, andpermit the trusted mobile application to access the computing resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The mobile computing device of claim 11 wherein the access manager is further configured to:
    - challenge the mobile application to provide a response that identifies the mobile application;
      
      generate an expected response based, at least in part, on the stored identification information;
      
      compare the expected response to the response provided by the mobile application;
      
      determine the mobile application is valid when the expected response matches the response provided by the mobile application; and
      
      determine the mobile application is invalid when the expected response does not match the response provided by the mobile application.
  - 13. The mobile computing device of claim 12 wherein:
    - the mobile application includes embedded identification tokens and is configured to extract the embedded identification tokens;
      
      the stored identification information includes the embedded identification tokens such that the expected response is based, at least in part, on the embedded identification tokens; and
      
      wherein the response provided by the mobile application is based, at least in part, on the embedded identifications tokens extracted from the mobile application.
  - 14. The mobile computing device of claim 13 wherein the access manager is further configured to:
    - derive one or more identification tokens from the mobile application;
      
      generate an expected application signature based on an arrangement of the embedded identification tokens and the derived identification tokens; and
      
      generate the expected response further based, at least in part, on the expected application signature.
  - 15. The mobile computing device of claim 14 wherein the access manager is further configured to:
    - provide a nonce to the mobile application;
      
      compute an expected hash value using the expected application signature and the nonce; and
      
      wherein the expected response is the expected hash value.
  - 16. The mobile computing device of claim 11 wherein the stored identification information is an original digital certificate generated for the mobile application upon creation of the mobile application.
  - 17. The mobile computing device of claim 16 further comprising a mobile operating system wherein the access manager is further configured to:
    - compute a first hash value based on the original digital certificate and a second hash value based on a digital certificate received from the mobile operating system;
      
      compare the first hash value to the second hash value;
      
      determine the mobile application is valid when the first hash value matches the second hash value; and
      
      determine the mobile application is invalid when the first hash value does not match the second hash value.
  - 18. The mobile computing device of claim 11 wherein the computing resource is at least one of:
    - i) a software application operating at the mobile computing device or a remote computing system;
      
      ii) a service provided by the mobile computing device of the remote computing system;
      
      iii) data stored at the mobile computing device or the remote computing system;
      
      iv) hardware at the mobile computing device or the remote computing system; and
      
      v) combinations thereof.
  - 19. The mobile computing device of claim 11 further comprising:
    - an application policy associated with the mobile device; and
      
      wherein the access manager is configured to control operation of the trusted mobile application based on the application policy.

20. An access manager configured to operate at a mobile computing device and configured to:
- validate a mobile application installed at the mobile computing device based on identification information stored at the mobile computing device and associated with the mobile application;
  
  prevent the mobile application from accessing computing resource upon unsuccessful validation of the mobile application;
  
  identify the mobile application as a trusted mobile application upon successful validation of the mobile application;
  
  permit the trusted mobile application to access the computing resource; and
  
  control operation of the trusted mobile application based on an application policy stored at the mobile computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Walker, James Robert

Granted Patent

US 9,270,674 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/33   using certificates

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 2221/2103   Challenge-response

G06F 2221/2115   Third party

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Validating the Identity of a Mobile Application for Mobile Application Management

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Validating the Identity of a Mobile Application for Mobile Application Management

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others