SYSTEMS AND METHODS FOR APPLICATION SECURITY ANALYSIS

US 20160112451A1
Filed: 10/20/2015
Published: 04/21/2016
Est. Priority Date: 10/21/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

evaluating each of a plurality of applications for privacy, data leakage, or malicious behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system;

calculating a risk score for each of the plurality of applications based on the evaluating;

determining whether each of the plurality of applications meets or exceeds a risk score threshold; and

automatically remediating the applications, of the plurality of applications, for which the risk score meets or exceeds the risk score threshold.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing applications for risk are provided. In the example method, the applications reside on a mobile device that is configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising various combinations of a privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.

Citations

26 Claims

1. A method, comprising:
- evaluating each of a plurality of applications for privacy, data leakage, or malicious behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system;
  
  calculating a risk score for each of the plurality of applications based on the evaluating;
  
  determining whether each of the plurality of applications meets or exceeds a risk score threshold; and
  
  automatically remediating the applications, of the plurality of applications, for which the risk score meets or exceeds the risk score threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the evaluating is performed on the mobile device.
  - 3. The method of claim 1, wherein the evaluating is performed in a virtual environment.
  - 4. The method of claim 1, wherein the evaluating of each of a plurality of applications is for each one of the privacy, the data leakage, and the malicious behavior.
  - 5. The method of claim 1, wherein evaluating each of the plurality of applications for the privacy, data leakage, or malicious behavior further comprises performing at least one of a static, dynamic, and behavior analysis of each of the plurality of applications.
  - 6. The method of claim 1, wherein evaluating each of the plurality of applications for the privacy, data leakage, or malicious behavior further comprises performing a static, dynamic, and behavior analysis of each of the plurality of applications.
  - 7. The method of claim 6, wherein the static analysis comprises analyzing declared permissions for the application in comparison with actual resources of the mobile device that are utilized by the application.
  - 8. The method of claim 6, wherein the dynamic analysis comprises executing each of a plurality of applications in a virtual environment and further comprises analyzing application behaviors for each of a plurality of applications over a period of time.
  - 9. The method of claim 6, wherein the behavioral analysis comprises executing each of the plurality of applications in the virtual environment and monitoring input and output operations of the respective applications.
  - 10. The method of claim 6, wherein calculating a risk score for each of the plurality of applications further comprises calculating a resource risk score that is indicative of a reputation of network resources utilized by each of the plurality of applications.
  - 11. The method of claim 10, wherein calculating a risk score for each of the plurality of applications further comprises determining if the application encrypts data transmitted to the network resources.
  - 12. The method of claim 1, wherein the evaluating comprises:
    - grouping application behaviors, for the plurality of applications, that indicate an increased risk into groups comprising at least two of a privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.
  - 13. The method of claim 12, wherein the privacy risk comprises the risk of any transmission of sensitive information regarding a user over a network.
  - 14. The method of claim 12, wherein the data leakage risk comprises any transmission of unencrypted data by the application, any connection to a file sharing service by the application, and uploading of data to an untrusted service.
  - 15. The method of claim 13, wherein the malware risk comprises any activity performed by the application that is indicative of malicious behavior by the application of a network resource accessed by the application.
  - 16. The method of claim 13, wherein the account takeover risk comprises any transmission of authentication credentials to a network resource by the application, accessing an online account associated with a user of the mobile device in an unauthorized way, or accessing of an online account not associated with the user of the mobile device or authorized for the application.
  - 17. The method of claim 13, wherein the device takeover risk comprises one or more of:
    - any transmission of hardware identification information by the application, a violation of a policy for accessing a restricted application programming interface (API), and a jailbreak or rooting attempt by the application.
  - 18. The method of claim 1, wherein the evaluating comprises:
    - grouping application behaviors, for the plurality of applications, that indicate an increased risk into groups comprising a privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk;
      
      wherein the malware risk comprises any activity performed by the application that is indicative of malicious behavior by the application of a network resource accessed by the application.
  - 19. The method of claim 13, further comprising comparing the application to a blacklist of applications, wherein, if at least one of the application and an application developer of the application is listed on the blacklist, the application is automatically remediated.
  - 20. The method of claim 19, further comprising calculating a publisher reputation score for the application developer, wherein the application developer is placed onto the blacklist if their publisher reputation score does not meet or exceed a publisher reputation score threshold.
  - 21. The method of claim 19, wherein calculating a risk score is further based on the reputation score for the application developer.
  - 22. The method of claim 1, wherein remediation comprises transmitting a warning to a user of the computing device or a system administrator.
  - 23. The method of claim 1, wherein remediation comprises quarantining.
  - 24. The method of claim 23, wherein quarantining comprises at least one of:
    - locking the mobile device, andretiring the computing device by preventing the computing device from accessing an enterprise network or enterprise services of the enterprise system.

25. A mobile device management system, comprising:
- one or more enterprise devices that provide enterprise services; and
  
  an application risk analysis system, comprising a processor that executes instructions stored in memory to;
  
  detect mobile devices attempting to access the enterprise services; and
  
  conduct a risk analysis of a plurality of applications residing on the mobile devices, comprising;
  
  comparing the plurality of applications to a whitelist and blacklist;
  
  for the applications not on the whitelist or blacklist, monitoring application behaviors of the application;
  
  grouping application behaviors that indicate an increased risk into groups comprising a privacy risk, a data leak risk, an account takeover risk, a device takeover risk, and a malware risk;
  
  calculating a risk score for each of the plurality of applications based on the application behaviors; and
  
  automatically remediating respective applications of the plurality of applications if the risk score calculated for the respective applications meets or exceeds a risk score threshold.

26. A non-transitory computer-readable storage medium having embodied thereon instructions, which, when executed by at least one processor, perform steps of a method, the method comprising:
- evaluating each of a plurality of applications for one or more of privacy, data leakage, and malicious behavior, the plurality of applications residing on a mobile device, the mobile device being configurable to access an enterprise system;
  
  calculating a risk score for each of the plurality of applications based on the evaluating;
  
  determining whether each of the plurality of applications meets or exceeds a risk score threshold; and
  
  automatically remediating the applications, of the plurality of applications, for which the risk score meets or exceeds the risk score threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Proofpoint Incorporated
Inventors
Jevans, David Alexander

Granted Patent

US 9,967,278 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04W 12/37   Managing security policies ...

SYSTEMS AND METHODS FOR APPLICATION SECURITY ANALYSIS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR APPLICATION SECURITY ANALYSIS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links