System for the distribution and deployment of applications with provisions for security and policy conformance

US 8,832,855 B1
Filed: 09/06/2011
Issued: 09/09/2014
Est. Priority Date: 09/07/2010
Status: Active Grant

First Claim

Patent Images

1. A method for deploying applications to endpoint devices, the method comprising:

obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID;

launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device;

during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID;

determining the authenticity of the user;

determining whether the application is bound to the user, wherein determining whether the application is bound to the user comprises;

obtaining the user-binding token;

comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and

when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and

invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

49 Citations

View as Search Results

26 Claims

1. A method for deploying applications to endpoint devices, the method comprising:
- obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID;
  
  launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device;
  
  during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID;
  
  determining the authenticity of the user;
  
  determining whether the application is bound to the user, wherein determining whether the application is bound to the user comprises;
  
  obtaining the user-binding token;
  
  comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and
  
  when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and
  
  invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the step of obtaining an application for an endpoint device is performed by receiving the application from an application distribution system.
  - 3. The method of claim 2, wherein the application distribution system includes a network of marketplaces.
  - 4. The method of claim 1,wherein the application has embedded therein a device binding token and the endpoint device has a device id;
    - andwherein the step of determining whether an application is bound to an endpoint device is performed by;
      
      obtaining the device id of the endpoint device; and
      
      comparing the token to the device id to determine if the token matches the id.
  - 5. The method of claim 1,wherein the gateway connects to an authorization server;
    - andwherein the step of determining the authenticity of the user includes;
      
      sending a request from the endpoint device to an authorization unit in the authorization server via the gateway; and
      
      receiving a positive or negative response from the authorization unit in the authorization server via the gateway.
  - 6. The method of claim 1,wherein the gateway includes an authorization unit;
    - andwherein the step of determining the authenticity of the user includes;
      
      relaying a request from the endpoint device to the authorization unit of the gateway; and
      
      receiving a positive or negative response from the authorization unit of the gateway.
  - 7. The method of claim 6, further comprising disconnecting the application from the gateway if the endpoint device receives a negative response from the authorization unit.
  - 8. The method of claim 7, further comprising preventing the invocation of the application logic if the user is not authorized.
  - 9. The method of claim 6,wherein the step of receiving a positive or negative response from the authorization unit of the gateway includes receiving a plurality of negative responses;
    - wherein the application holds cryptographic keys for enabling the decryption of encrypted data on the endpoint device; and
      
      further comprising erasing any cryptographic keys held by the application when authorization unit receives the plurality of negative responses.
  - 10. The method of claim 1, further comprising receiving cryptographic key material from the gateway after authenticating the user, said key material enabling the application to access any stored data on the endpoint device.
  - 11. The method of claim 1,wherein the endpoint device contains local data storage for holding data relating to operation of the application;
    - andfurther comprising encrypting data held in local data storage.
  - 12. The method of claim 11, wherein the step of encrypting data held in local data storage is performed by an application interface (API) in the endpoint device.
  - 13. The method of claim 1, further comprising communicating information, including requests, to and from the application in the endpoint device and the gateway.
  - 14. The method of claim 13, wherein all information communicated between the application and the gateway is encrypted.
  - 15. The method of claim 1, further comprising transferring data to or from the endpoint device and the gateway.
  - 16. The method of claim 15,wherein the step of transferring data occurs via one or more application interfaces (APIs) in the endpoint device;
    - andwherein at least one API ensures that any data transferred is securely transferred.
  - 17. The method of claim 15, wherein the step of transferring data includes encrypting the data transferred to or from the endpoint device.
  - 18. The method of claim 17, wherein the step of encrypting the data transferred to or from the endpoint device includes preventing leakage of data from or the injection of data into the transferred data.
  - 19. The method of claim 15,wherein the gateway includes bus unit and a data interface unit that determines whether a data access is permitted;
    - andwherein the step of transferring data includes routing a data transfer request to the data interface unit to determine that a data access is permitted and if so, forwarding the request to the bus unit.
  - 20. The method of claim 15,wherein the gateway includes a bus unit that handles data access requests;
    - andwherein the step of transferring data includes requesting the bus unit to transfer the data, said bus unit mapping the request, based on an address of the data, to a protocol implementation.
  - 21. The method of claim 20, wherein said protocol implementation transferring said data to or from said data server in accordance with the protocol implementation to which the request is mapped.
  - 22. The method of claim 1, wherein the endpoint device includes a service unit with a user interface and a programmatic interface to permit troubleshooting of applications on the endpoint device.
  - 23. The method of claim 1, further comprising:
    - authenticating a troubleshooting routine; and
      
      troubleshooting an application via the authenticated troubleshooter.
  - 24. The method of claim 1, further comprising gathering metrics information from the gateway based on application data captured by the gateway.

25. A method for deploying applications to endpoint devices, the method comprising:
- obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID;
  
  launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device;
  
  during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether the application is bound to the endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID;
  
  determining the authenticity of the user;
  
  comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and
  
  when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and
  
  invoking the application logic on the endpoint device if the application is bound to the user and to the device and the user is authenticated.

26. A method for deploying applications to endpoint devices, the method comprising:
- obtaining an application for an endpoint device, said endpoint device having a particular user and said application including application logic, wherein the application has embedded therein a device-binding token and the endpoint device includes a device ID;
  
  launching the application, wherein the application has embedded therein a user-binding token and has an application ID, and wherein the application holds cryptographic keys for enabling decryption of encrypted data on the endpoint device;
  
  during the launching of the application, connecting the application to a gateway, determining whether the application is bound to the endpoint device, and halting the launch of the application if the application is not bound to the endpoint device, wherein the step of determining whether an application is bound to an endpoint device is performed by obtaining the device ID of the endpoint device and comparing the device-binding token to the device ID to determine if the device-binding token matches the device ID;
  
  determining whether the application is bound to the user, wherein determining whether the application is bound to the user includes;
  
  obtaining the user-binding token;
  
  comparing the user-binding token to the application ID to determine if the user-binding token matches the application ID; and
  
  when the user-binding token does not match the application ID, disconnecting the application from the gateway and erasing cryptographic keys held by the application prior to disconnecting the application from the gateway to cause encrypted data on the endpoint device to be unreadable; and
  
  invoking the application logic on the endpoint device if the application is bound to the user and to the endpoint device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Enderwick, Thomas Jeffrey, Perret, Christopher Edward
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/226,351
Time in Patent Office

1,099 Days
Field of Search

726 1- 10, 726 16- 21, 726 26- 30, 713164-167, 713/189, 713/193
US Class Current

726/28
CPC Class Codes

G06F 21/121   Restricting unauthorised ex...

G06F 21/30   Authentication, i.e. establ...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2149   Restricted operating enviro...

G06F 8/60   Software deployment

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

System for the distribution and deployment of applications with provisions for security and policy conformance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System for the distribution and deployment of applications with provisions for security and policy conformance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links