Systems and methods for mobile application security classification and enforcement

US 8,763,071 B2
Filed: 03/18/2011
Issued: 06/24/2014
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

configuring a mobile device such that the mobile device communicates data to an external network via a cloud-based security system;

receiving data from the mobile device;

enforcing policy on the data from the mobile device;

based on the policy, forwarding the data to the external network;

receiving data from the external network;

inspecting content of the data from the external network;

based on the inspecting content, forwarding the data to the mobile device;

determining and storing, in a database, a plurality of attributes for each of a plurality of applications for the mobile device and periodically updating the database, wherein the determining the plurality of attributes comprises determining a security score based on a plurality of factors related to security, and determining a privacy score based on a plurality of factors related to privacy; and

utilizing the database in the enforcing policy step to prevent the data from the mobile device from being forwarding if the data relates to an application which does not meet a minimum threshold related to the security score and the privacy score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides systems and methods for mobile application security classification and enforcement. In particular, the present invention includes a method, a mobile device, and a distributed security system (e.g., a “cloud”) that is utilized to enforce security on mobile devices communicatively coupled to external networks (i.e., the Internet). Advantageously, the present invention is platform independent allowing it to operate with any current or emerging mobile device. Specifically, preventing malicious applications from running on an end user'"'"'s mobile device is challenging with potentially millions of applications and billions of user devices; the only effective way to enforce application security is through the network that applications use to communicate.

330 Citations

15 Claims

1. A method, comprising:
- configuring a mobile device such that the mobile device communicates data to an external network via a cloud-based security system;
  
  receiving data from the mobile device;
  
  enforcing policy on the data from the mobile device;
  
  based on the policy, forwarding the data to the external network;
  
  receiving data from the external network;
  
  inspecting content of the data from the external network;
  
  based on the inspecting content, forwarding the data to the mobile device;
  
  determining and storing, in a database, a plurality of attributes for each of a plurality of applications for the mobile device and periodically updating the database, wherein the determining the plurality of attributes comprises determining a security score based on a plurality of factors related to security, and determining a privacy score based on a plurality of factors related to privacy; and
  
  utilizing the database in the enforcing policy step to prevent the data from the mobile device from being forwarding if the data relates to an application which does not meet a minimum threshold related to the security score and the privacy score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - utilizing the database in the enforcing policy step.
  - 3. The method of claim 1, further comprising:
    - for a particular application, updating the plurality of attributes based on feedback from the cloud-based security system.
  - 4. The method of claim 1, further comprising:
    - determining a web risk index based on either the data from the mobile device or the data from the external network; and
      
      based on the web risk index, forwarding the data from the mobile device to the external network or forwarding the data from the external network to the mobile device.
  - 5. The method of claim 1, further comprising:
    - pushing a configuration to the mobile device prior to the configuring step.
  - 6. The method of claim 1, wherein the configuring step comprises setting the mobile device such that data to and from the mobile device is interfaced through the cloud-based security system.
  - 7. The method of claim 6, wherein the mobile device is configured with a Hypertext Transfer Protocol proxy designating the cloud-based security system.
  - 8. The method of claim 6, wherein the mobile device is configured with a Virtual Private Network to the cloud-based security system.
  - 9. The method of claim 1, wherein the inspecting content step comprises analyzing the data from the external network for malicious content.
  - 10. The method of claim 9, wherein the malicious content comprises viruses, spyware, malware, Trojans, botnets, spam email, phishing content, inappropriate content with respect to policy, black listed content, and combinations thereof.

11. A network security system, comprising:
- a processing node communicatively coupled to a mobile device and to an external network, wherein the processing node comprises a data store storing security policy data for the mobile device, data inspection engines configured to perform threat detection classification on content to the mobile device from the external network, and a manager communicatively coupled to the data store and the data inspection engines;
  
  wherein the processing node is configured to enforce policy between the mobile device and the external network and inspect content from the external network to the mobile device through the steps of;
  
  receiving data from the mobile device;
  
  enforcing policy on the data from the mobile device;
  
  based on the policy, forwarding the data to the external network;
  
  receiving data from the external network;
  
  inspecting content of the data from the external network;
  
  based on the inspecting content, forwarding the data to the mobile device;
  
  determining and storing, in the data store, a plurality of attributes for each of a plurality applications for the mobile device and periodically updating the data store, wherein the determining the plurality of attributes comprises determining a security score based on a plurality of factors related to security, and determining a privacy score based on a plurality of factors related to privacy; and
  
  utilizing the data store in the enforcing policy step to prevent the data from the mobile device from being forwarding if the data relates to an application which does not meet a minimum threshold related to the security score and the privacy score.
- View Dependent Claims (12, 13, 14)
- - 12. The network security system of claim 11, further comprising:
    - an authority node communicatively coupled to the processing node, wherein the authority node comprises a data store storing security policy data for the processing node and a plurality of other processing nodes;
      
      wherein the authority node is configured to maintain a database of application ratings for a plurality of applications associated with the mobile device, and wherein the database is utilized by the processing node to enforce the policy and to inspect the content.
  - 13. The network security system of claim 11, wherein the mobile device is configured with a Hypertext Transfer Protocol proxy designating the processing node.
  - 14. The network security system of claim 11, wherein the mobile device is configured with a Virtual Private Network to the processing node.

15. A server, comprising:
- a data store;
  
  a network interface communicatively coupled to a network;
  
  a processor, wherein the data store, the network interface, and the processor are communicatively coupled there between and configured to;
  
  receive data from a mobile device;
  
  enforce policy on the data from the mobile device;
  
  based on the policy, forward the data to the external network;
  
  receive data from the external network;
  
  inspect content of the data from the external network;
  
  based on the inspected content, forward the data to the mobile device;
  
  determine and store, in the data store, a plurality of attributes for each of a plurality of applications for the mobile device and periodically update the data store, wherein to determine the plurality of attributes comprises determining a security score based on a plurality of factors related to security, and determining a privacy score based on a plurality of factors related to privacy; and
  
  utilize the data store in the enforce policy step to prevent the data from the mobile device from being forwarding if the data relates to an application which does not meet a minimum threshold related to the security score and the privacy score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Sinha, Amit, Sutton, Michael Andrew William, Devarajan, Srikanth
Primary Examiner(s)
McNally, Michael S

Application Number

US13/051,519
Publication Number

US 20110167474A1
Time in Patent Office

1,194 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/56   Computer malware detection ...

H04L 63/20   for managing network securi...

H04L 67/306   User profiles

H04W 12/08   Access security

H04W 12/128   Anti-malware arrangements, ...

H04W 4/60   Subscription-based services...

Systems and methods for mobile application security classification and enforcement

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

330 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for mobile application security classification and enforcement

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

330 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links