FETCHING A POLICY DEFINITION LIBRARY FROM A POLICY SERVER AT MOBILE DEVICE RUNTIME OF AN APPLICATION PACKAGE TO CONTROL ACCESS TO MOBILE DEVICE RESOURCES

US 20170085591A1
Filed: 09/23/2015
Published: 03/23/2017
Est. Priority Date: 09/23/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

performing operations as follows on a processor of a mobile device;

responsive to occurrence of a defined event associated with an application package, fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access;

executing the wrapped application package containing application executable code and application wrapper executable code that is called by each execution of an agnostic wrapper function residing at each of a plurality of locations in the application executable code; and

responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile device fetches a policy definition library from a policy server responsive to occurrence of a defined event associated with an application package. The policy definition library contains policies defining resources of the mobile device that the application package is permitted to access. The mobile device executes the wrapped application package containing application executable code and application wrapper executable code that is called by each execution of an agnostic wrapper function residing at each of a plurality of locations in the application executable code. Responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, the mobile device executes the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library.

Citations

20 Claims

1. A method comprising:
- performing operations as follows on a processor of a mobile device;
  
  responsive to occurrence of a defined event associated with an application package, fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access;
  
  executing the wrapped application package containing application executable code and application wrapper executable code that is called by each execution of an agnostic wrapper function residing at each of a plurality of locations in the application executable code; and
  
  responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the, responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library, comprises:
    - responsive to execution of the agnostic wrapper function at one of the plurality of locations in the application executable code,receiving by the application wrapper executable code a resource object name identifying one type of resource that is requested to be accessed by the application executable code and an argument of the agnostic wrapper function to be passed to the one type of resource,determining, by the application wrapper executable code, whether the application executable code has permission to access the one type of resource identified by the resource object name based on applying one of the policies defining resources of the mobile device that the application package is permitted to access, andbased on determining that the application executable code has permission to access the one type of resource identified by the resource object name, and generating by the application wrapper executable code an operating system (OS) application programming interface (API) call, which contains the argument of the agnostic wrapper function, to the one type of resource identified by the resource object name.
  - 3. The method of claim 2, wherein the, responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library, further comprises:
    - responsive to execution of the agnostic wrapper function at another one of the plurality of locations in the application executable code,receiving by the application wrapper executable code another resource object name identifying another resource that is requested to be accessed by the application executable code and an argument of the another agnostic wrapper function to be passed to the another type of resource,determining, by the application wrapper executable code, whether the application executable code has permission to access the another resource identified by the another resource object name based on applying another one of the policies defining resources of the mobile device that the application package is permitted to access, andbased on determining that the application executable code has permission to access the another resource identified by the another resource object name, generating by the application wrapper executable code another OS API call, which contains the argument of the another agnostic wrapper function, to the another resource identified by the another resource object name.
  - 4. The method of claim 3, wherein the operations further comprise:
    - based on determining that the application executable code has permission to access the one type of resource identified by the resource object name, executing the application wrapper executable code to pass a response by the one type of resource, from the OS API call, to the agnostic wrapper function; and
      
      based on determining that the application executable code has permission to access the another type of resource identified by the another resource object name, executing the application wrapper executable code to pass a response by the another type of resource, from the another OS API call, to the another agnostic wrapper function.
  - 5. The method of claim 4, wherein the one type of resource identified by the resource object name and the another type of resource identified by the another resource object name are two different ones of the following resources of the mobile device:
    - a camera resource;
      
      a source recorder resource;
      
      a location services resource; and
      
      a contact information repository resource.
  - 6. The method of claim 2, wherein the operations further comprise:
    - based on determining that the application executable code does not have permission to access the one type of resource identified by the resource object name, executing the application wrapper executable code to block generation of the OS API call to the one type of resource identified by the resource object name.
  - 7. The method of claim 1, wherein the fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access, comprises:
    - communicating a request message directed through the data network to the policy server, the request message containing an identifier of the application package and which requests delivery of one of a plurality of policy definition libraries accessible through the policy server that is associated with the identifier of the application package; and
      
      receiving the one of the plurality of policy definition libraries from the policy server.
  - 8. The method of claim 7, wherein the operations further comprise:
    - identifying the occurrence of the defined event associated with the application package responsive to receiving login information from the application executable code;
      
      communicating a login request message through the data network to the policy server, the login request message containing the login information;
      
      receiving a login response message from the policy server; and
      
      performing the communicating the request message directed through the data network to the policy server responsive to the login response message indicating an authorization for the application wrapper executable code to request the delivery of one of the plurality of policy definition libraries accessible through the policy server.
  - 9. The method of claim 7, wherein the communicating a request message directed through the data network to the policy server, comprises:
    - synchronizing content of a policy definition library residing in a memory of the mobile device to correspond to content of the one of the plurality of policy definition libraries accessible through the policy server that is associated with the identifier.
  - 10. The method of claim 7, wherein the responsive to occurrence of a defined event associated with an application package, fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access, comprises:
    - identifying the occurrence of the defined event associated with the application package responsive to execution of the agnostic wrapper function at one of the plurality of locations in the application executable code;
      
      responsive to the execution of the agnostic wrapper function,communicating the request message directed through the data network to the policy server, the request message containing the identifier of the application package and which requests delivery of one of a plurality of policy definition libraries accessible through the policy server that is associated with the identifier of the application package,receiving the one of the plurality of policy definition libraries from the policy server, andsynchronizing content of a policy definition library residing in a memory of the mobile device to correspond to content of the one of the plurality of policy definition libraries.

11. A method comprising:
- performing operations as follows on a processor of a policy server;
  
  receiving a request message through a data network from a mobile device, the request message containing an identifier of an application package on the mobile device and which requests delivery of one of a plurality of policy definition libraries accessible through the policy server that is associated with the identifier of the application package;
  
  fetching the one of the plurality of policy definition libraries based on the identifier of the application package; and
  
  communicating the one of the plurality of policy definition libraries to the mobile device via the data network.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein the operations further comprise:
    - prior to receiving the request message,receiving a login request message through the data network from the mobile device, the login request message containing login information identifying a user of the mobile device;
      
      determining whether the user is authorized to request delivery of the policy definition libraries; and
      
      communicating a login response message through the data network to the mobile devicewherein the communicating the one of the plurality of policy definition libraries to the mobile device via the data network is only performed based on the application package being determined to be authorized to request delivery of the one of the plurality of policy definition libraries.
  - 13. The method of claim 11, wherein the communicating the one of the plurality of policy definition libraries to the mobile device via the data network, comprises:
    - synchronizing content of a policy definition library residing in a memory of the mobile device to correspond to content of the one of the plurality of policy definition libraries accessible through the policy server.

14. A mobile device, comprising:
- a processor; and
  
  a memory coupled to the processor and storing computer readable program code that when executed by the processor causes the processor to perform operations comprising;
  
  responsive to occurrence of a defined event associated with an application package, fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access;
  
  executing the wrapped application package containing application executable code and application wrapper executable code that is called by each execution of an agnostic wrapper function residing at each of a plurality of locations in the application executable code; and
  
  responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The mobile device of claim 14, wherein the, responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library, comprises:
    - responsive to execution of the agnostic wrapper function at one of the plurality of locations in the application executable code,receiving by the application wrapper executable code a resource object name identifying one type of resource that is requested to be accessed by the application executable code and an argument of the agnostic wrapper function to be passed to the one type of resource,determining, by the application wrapper executable code, whether the application executable code has permission to access the one type of resource identified by the resource object name based on applying one of the policies defining resources of the mobile device that the application package is permitted to access, andbased on determining that the application executable code has permission to access the one type of resource identified by the resource object name, and generating by the application wrapper executable code an operating system (OS) application programming interface (API) call, which contains the argument of the agnostic wrapper function, to the one type of resource identified by the resource object name.
  - 16. The mobile device of claim 15, wherein the, responsive to execution of the agnostic wrapper function at any of the plurality of locations in the application executable code, executing the application wrapper executable code to control whether access by the application executable code is granted to resources of the mobile device based on the policies contained in the policy definition library, further comprises:
    - responsive to execution of the agnostic wrapper function at another one of the plurality of locations in the application executable code,receiving by the application wrapper executable code another resource object name identifying another resource that is requested to be accessed by the application executable code and an argument of the another agnostic wrapper function to be passed to the another type of resource,determining, by the application wrapper executable code, whether the application executable code has permission to access the another resource identified by the another resource object name based on applying another one of the policies defining resources of the mobile device that the application package is permitted to access, andbased on determining that the application executable code has permission to access the another resource identified by the another resource object name, generating by the application wrapper executable code another OS API call, which contains the argument of the another agnostic wrapper function, to the another resource identified by the another resource object name.
  - 17. The mobile device of claim 16, wherein the operations further comprise:
    - based on determining that the application executable code has permission to access the one type of resource identified by the resource object name, executing the application wrapper executable code to pass a response by the one type of resource, from the OS API call, to the agnostic wrapper function; and
      
      based on determining that the application executable code has permission to access the another type of resource identified by the another resource object name, executing the application wrapper executable code to pass a response by the another type of resource, from the another OS API call, to the another agnostic wrapper function.
  - 18. The mobile device of claim 17, wherein the one type of resource identified by the resource object name and the another type of resource identified by the another resource object name are two different ones of the following resources of the mobile device:
    - a camera resource;
      
      a source recorder resource;
      
      a location services resource; and
      
      a contacts information repository resource.
  - 19. The mobile device of claim 15, wherein the operations further comprise:
    - based on determining that the application executable code does not have permission to access the one type of resource identified by the resource object name, executing the application wrapper executable code to block generation of the OS API call to the one type of resource identified by the resource object name.
  - 20. The mobile device of claim 14, wherein the operations further comprise:
    - identifying the occurrence of the defined event associated with the application package responsive to receiving login information from the application executable code;
      
      communicating a login request message through the data network to the policy server, the login request message containing the login information; and
      
      receiving a login response message from the policy server,wherein the fetching a policy definition library from a policy server through a data network, the policy definition library containing policies defining resources of the mobile device that the application package is permitted to access, comprises;
      
      responsive to the login response message indicating an authorization for the application wrapper executable code to request the delivery of one of the plurality of policy definition libraries accessible through the policy server, communicating a request message directed through the data network to the policy server, the request message containing an identifier of the application package and which requests delivery of one of a plurality of policy definition libraries accessible through the policy server that is associated with the identifier of the application package; and
      
      receiving the one of the plurality of policy definition libraries from the policy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
GANDA, MADHUSUDHAN, Nandakumar, Vikrant, MURTHY, VARDHINEEDI SATYANARAYANA, PINNINTI, Hemanth Kumar

Granted Patent

US 10,104,123 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

H04L 63/20   for managing network securi...

H04W 12/08   Access security

FETCHING A POLICY DEFINITION LIBRARY FROM A POLICY SERVER AT MOBILE DEVICE RUNTIME OF AN APPLICATION PACKAGE TO CONTROL ACCESS TO MOBILE DEVICE RESOURCES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FETCHING A POLICY DEFINITION LIBRARY FROM A POLICY SERVER AT MOBILE DEVICE RUNTIME OF AN APPLICATION PACKAGE TO CONTROL ACCESS TO MOBILE DEVICE RESOURCES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links