Methods and apparatus to control privileges of mobile device applications

US 8,650,620 B2
Filed: 12/20/2010
Issued: 02/11/2014
Est. Priority Date: 12/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

assigning a process identifier to an application on a mobile device, the process identifier generated by an operating system of the mobile device, the mobile device having a first network interface and a second network interface different than the first network interface;

determining via a digital certificate that the application is;

authorized to be executed on the mobile device;

authorized to access the first network interface of the mobile device; and

unauthorized to access the second network interface of the mobile device;

configuring a mandatory access control module of the mobile device to control access of the first and second network interfaces by providing the process identifier to the mandatory access control module;

enabling the application to access the first network interface, wherein enabling the application to access the first network interface includes creating a virtual private network tunnel through the mobile device to a wireless network; and

preventing the application from accessing the second network interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus to control privileges of mobile device applications are disclosed. A disclosed example method includes assigning a process identifier to an application on a mobile device, the process identifier generated by an operating system of the mobile device, determining via a digital certificate that the application is authorized to be executed on the mobile device and that the application is authorized to access a network interface of the mobile device, configuring a mandatory access control module of the mobile device to enforce access of the network interface by providing the process identifier to the mandatory access control module, and enabling the application to access the network interface.

114 Citations

View as Search Results

17 Claims

1. A method, comprising:
- assigning a process identifier to an application on a mobile device, the process identifier generated by an operating system of the mobile device, the mobile device having a first network interface and a second network interface different than the first network interface;
  
  determining via a digital certificate that the application is;
  
  authorized to be executed on the mobile device;
  
  authorized to access the first network interface of the mobile device; and
  
  unauthorized to access the second network interface of the mobile device;
  
  configuring a mandatory access control module of the mobile device to control access of the first and second network interfaces by providing the process identifier to the mandatory access control module;
  
  enabling the application to access the first network interface, wherein enabling the application to access the first network interface includes creating a virtual private network tunnel through the mobile device to a wireless network; and
  
  preventing the application from accessing the second network interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as defined in claim 1, wherein the virtual private network tunnel prevents unauthorized applications from accessing the first network interface.
  - 3. A method as defined in claim 1, wherein the virtual private network tunnel prevents malicious applications from accessing a host server.
  - 4. A method as defined in claim 1, wherein the virtual private network tunnel prevents the application from accessing the wireless network.
  - 5. A method as defined in claim 1, further comprising determining via the digital certificate that the application is authorized to access a device interface of the mobile device.
  - 6. A method as defined in claim 1, wherein configuring the mandatory access control module to control access includes transmitting the process identifier of the application to the mandatory access control module, the process identifier being included within an instruction informing the mandatory access control module that the application associated with the process identifier is authorized to access the first network interface and unauthorized to access the second network interface.
  - 7. A method as defined in claim 1, further comprising determining via a second digital certificate that a second application is unauthorized to access the first network interface of the mobile device and is authorized to access the second network interface of the mobile device.
  - 8. A method as defined in claim 4, wherein the application connects to a host server via a virtual private network on a cellular network.
  - 9. A method as defined in claim 5, further comprising configuring the mandatory access control module to enforce access of the device interface to enable the application to access the device interface.

10. A mobile device, comprising:
- a first network interface;
  
  a second network interface;
  
  a memory having machine readable instructions and an application stored thereon;
  
  a processor to execute the machine readable instructions to perform operations comprising;
  
  determining via a digital certificate that the application is authorized to access the first network interface of the mobile device and unauthorized to access a second network interface of the mobile device;
  
  configuring a mandatory access control module of the mobile device to restrict access of the first and second network interfaces by providing a process identifier assigned to the application to the mandatory access control module;
  
  enabling the application to access the first network interface, wherein enabling the application to access the first network interface comprises creating a virtual private network tunnel; and
  
  preventing the application from accessing the second network interface.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The mobile device as defined in claim 10, wherein the operations further comprise assigning the process identifier to the application.
  - 12. The mobile device as defined in claim 10, wherein the digital certificate is included within the application and indicates that the application has access privileges to access the first network interface.
  - 13. The mobile device as defined in claim 11, wherein configuring the mandatory access control module to restrict access comprises conveying the process identifier of the application to the mandatory access control module.
  - 14. The mobile device as defined in claim 12, wherein the application has a lower privilege than a second application, and the application is to utilize the second application to access the second network interface.

15. A tangible machine-accessible storage medium comprising instructions that, when executed, cause a machine to perform operations comprising:
- assigning a process identifier to an application on a mobile device;
  
  determining via a digital certificate that the application is;
  
  authorized to be executed on the mobile device;
  
  authorized to access a first device interface of the mobile device; and
  
  unauthorized to access a second device interface of the mobile device, the second device interface being different from the first device interface;
  
  configuring a mandatory access control module of the mobile device to control access to the first and second device interfaces by providing the process identifier to the mandatory access control module;
  
  enabling the application to access the first device interface, wherein enabling the application to access the first network interface comprises creating a virtual private network tunnel through the mobile device via the mandatory access control module; and
  
  preventing the application from accessing the second device interface.
- View Dependent Claims (16, 17)
- - 16. A storage medium as defined in claim 15, wherein the operations further comprise determining via the digital certificate that the application is authorized to access a first network interface of the mobile device and unauthorized to access a second network interface of the mobile device.
  - 17. A storage medium as defined in claim 15, wherein the operations further comprise enabling the application to access a host service platform by connecting to a virtual private network via the first network interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chawla, Deepak K., Muller, Urs A.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US12/973,665
Publication Number

US 20120159578A1
Time in Patent Office

1,149 Days
Field of Search

455/410, 455/411
US Class Current

726/4
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/53 by executing in a restricte...

Methods and apparatus to control privileges of mobile device applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus to control privileges of mobile device applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links