Method and system for application-based policy monitoring and enforcement on a mobile device

US 8,844,032 B2
Filed: 03/02/2012
Issued: 09/23/2014
Est. Priority Date: 03/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, during execution of a software application by a mobile device on which an operating system is running, as a result of a non-operating system software routine comprising redirecting code interfacing with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code; and

prior to execution of the system call by the operating system;

determining, by executing the intercepting code to pass an argument of the system call to application monitoring code, whether the software application is attempting to perform a potentially unauthorized activity; and

determining, by executing the application monitoring code to evaluate the argument of the system call, whether to execute the system call in response to determining whether the software application is attempting to perform a potentially unauthorized activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for application-based monitoring and enforcement of security, privacy, performance and/or other policies on a mobile device includes incorporating monitoring and policy enforcement code into a previously un-monitored software application package that is installable on a mobile device, and executing the monitoring and policy enforcement code during normal use of the software application by a user of the mobile device.

63 Citations

View as Search Results

31 Claims

1. A method comprising:
- detecting, during execution of a software application by a mobile device on which an operating system is running, as a result of a non-operating system software routine comprising redirecting code interfacing with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code; and
  
  prior to execution of the system call by the operating system;
  
  determining, by executing the intercepting code to pass an argument of the system call to application monitoring code, whether the software application is attempting to perform a potentially unauthorized activity; and
  
  determining, by executing the application monitoring code to evaluate the argument of the system call, whether to execute the system call in response to determining whether the software application is attempting to perform a potentially unauthorized activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the mobile device operating system comprises a device-specific security system, comprising determining whether the software application is attempting to perform a potentially unauthorized activity independently of the device-specific security system.
  - 3. The method of claim 1, comprising determining whether the software application is attempting to perform a potentially unauthorized activity based on at least one security and/or privacy policy.
  - 4. The method of claim 3, wherein at least one security and/or privacy policy is associated with at least one of the system call, the software application, and a user of the mobile device.
  - 5. The method of claim 1, comprising analyzing at least one argument associated with the system call and determining whether the software application is attempting to perform a potentially unauthorized activity based on the at least one argument.
  - 6. The method of claim 5, wherein the system call is associated with an inter-process communication, comprising processing the at least one argument of the system call to determine at least one parameter associated with the inter-process communication, and determining whether the software application is attempting to perform a potentially unauthorized activity based on at least one of the parameters associated with the inter-process communication.
  - 7. The method of claim 5, comprising determining whether an argument of the system call is associated with an application that is known or suspected to be malicious by referring to a remote service.
  - 8. The method of claim 1, comprising associating the system call with at least one policy for blocking the execution of system calls and determining whether to execute the system call based on the at least one policy.
  - 9. The method of claim 1, comprising determining whether the system call is configured to initiate one or more of:
    - loading native code, establishing a communication connection to a remote device, sending a message, executing a computer program, requesting an input or output, creating a child process, and linking of a library.
  - 10. The method of claim 1, comprising receiving input relating to the system call from a user of the mobile device prior to executing the system call and determining whether to execute the system call, continue executing the software application without executing the system call, or discontinue execution of the software application, in response to the input from the user of the mobile device.
  - 11. The method of claim 10, comprising not executing the system call in response to the input from the user of the mobile device.
  - 12. The method of claim 10, comprising storing the input from the user, detecting the software application initiating a second system call to the operating system, accessing the stored input in response to detecting the second system call, and determining whether to execute the second system call based on the stored input.
  - 13. The method of claim 1, comprising displaying a message relating to the system call at the mobile device during execution of the software application.
  - 14. The method of claim 13, comprising displaying, at the mobile device, an indicator representing a degree of maliciousness of the system call.
  - 15. The method of claim 1, comprising, after a user-initiated launch of the software application and prior to the execution of the software application, changing a dynamic link such that during execution of the software application, a security and/or privacy monitoring routine executes prior to the execution of the system call.
  - 16. The method of claim 1, comprising defining a runtime priority so that the non-operating system software routine has a higher runtime priority than the software application.

17. An electronic device comprising:
- at least one processor,at least one memory device coupled to the at least one processor, the at least one memory device having stored therein a plurality of instructions that when executed by the at least one processor, cause the at least one processor to;
  
  process a first application package comprising a software application executable by a second electronic device to obtain at least one compiled component of the software application;
  
  associate at least one security and/or privacy monitoring routine with the at least one compiled component of the software application without modifying or replacing the at least one compiled component of the software application, the at least one security and/or privacy monitoring routine comprising redirecting code configured to interface with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system during execution of the software application, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code, the intercepting code configured to pass an argument of the system call to policy enforcing code, the policy enforcing code configured to, during execution of the software application by the second electronic device, determine whether the software application is attempting to perform a potentially unauthorized activity; and
  
  create a second application package comprising the software application and the at least one security and/or privacy monitoring routine, the second application package adapted for installation by the second electronic device.
- View Dependent Claims (18)
- - 18. The electronic device of claim 17, configured to receive the first application package from the second electronic device via the network interface.

19. At least one non-transitory computer accessible medium comprising a plurality of instructions that in response to being executed, result in a mobile computing device:
- in response to a request to download an application package comprising at least one executable software application to the mobile computing device;
  
  initiating the creation of a new application package comprising the at least one executable software application and at least one security and/or privacy monitoring routine without modifying or replacing any of the executable components of the executable software application, the at least one security and/or privacy monitoring routine comprising redirecting code configured to interface with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system during execution of the software application, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code, the intercepting code configured to pass an argument of the system call to policy enforcing code, the policy enforcing code configured to, during execution of the software application, determine whether the software application is attempting to perform a potentially unauthorized activity.
- View Dependent Claims (20, 21)
- - 20. The at least one non-transitory computer accessible medium of claim 19, comprising initiating the installation of the new application package on the mobile computing device.
  - 21. The at least one non-transitory computer accessible medium of claim 19, comprising initiating creation of the new application package at a second computing device communicatively coupled to the mobile computing device by a network and initiating downloading of the new application package to the mobile computing device.

22. A method for at least temporarily preventing an executable software application from executing a potentially unauthorized activity on a mobile computing device, the method comprising, at the mobile computing device:
- receiving input from a user of the mobile computing device, the input relating to at least one security, privacy, and/or performance monitoring policy associated with the executable software application;
  
  configuring computer code to monitor execution of the executable software application based on the policy, the computer code comprising redirecting code configured to interface with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system during execution of the software application, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code, the intercepting code configured to pass an argument of the system call to policy enforcing code, the policy enforcing code configured to, during execution of the software application, determine whether the software application is attempting to perform a potentially unauthorized activity; and
  
  repackaging the executable software application with the computer code, without modifying or replacing any of the executable components of the executable software application, so that the computer code is executed in response to execution of the executable software application by the mobile computing device.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22, comprising receiving the input from the user during execution of the repackaged software application by the mobile computing device, and configuring the computer code based on the input received during execution of the repackaged software application.
  - 24. The method of claim 22, comprising repackaging the executable software application so that the computer code is executable in response to loading of the executable software application into memory for execution at the mobile computing device.
  - 25. The method of claim 22, comprising repackaging the executable software application without modifying the mobile computing device'"'"'s operating system.
  - 26. The method of claim 25, comprising repackaging the executable software application without modifying the executable software application.

27. A computing device comprising:
- at least one processor, andat least one memory device coupled to the at least one processor, the at least one memory device having stored therein a plurality of processor-executable instructions configured to;
  
  receive a request to download an executable software application to a mobile computing device; and
  
  in response to the request and prior to executing the executable software application at the mobile computing device;
  
  without modifying or replacing any of the executable components of the executable software application, repackage the executable software application with computer code configured to monitor at least one of security, privacy, and performance of the executable software application, so that the computer code is executable in response to execution of the executable software application at the mobile computing device, wherein the computer code comprises redirecting code configured to interface with the software application after a user-initiated launch of the software application and prior to the execution of the software application, the software application initiating a system call to the operating system during execution of the software application, the redirecting code enabling the detecting of the initiating of the system call by replacing an address associated with the system call with an address of intercepting code, the intercepting code configured to pass an argument of the system call to policy enforcing code, the policy enforcing code configured to, during execution of the software application, determine whether the software application is attempting to perform a potentially unauthorized activity.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The computing device of claim 27, wherein the computer code is configured to detect activity of the executable software application that conflicts with at least one user-specified security, privacy, and/or performance monitoring policy of the mobile computing device.
  - 29. The computing device of claim 28, wherein the computer code is configured to detect activity that may be initiated by the executable software application without the user'"'"'s knowledge.
  - 30. The computing device of claim 27, configured to receive input from a user of the mobile computing device during execution of the repackaged software application and configure the computer code based on the input received during execution of the repackaged software application.
  - 31. The computing device of claim 27, configured to initiate repackaging of the executable software application prior to downloading the executable software application to the mobile computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SRI International, Inc.
Original Assignee
SRI International, Inc.
Inventors
Saidi, Hassen, Xu, Rubin
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US13/411,200
Publication Number

US 20130232573A1
Time in Patent Office

935 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 21/6245   Protecting personal data, e...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

H04W 12/128   Anti-malware arrangements, ...

H04W 12/37   Managing security policies ...

H04W 88/02   Terminal devices

Method and system for application-based policy monitoring and enforcement on a mobile device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for application-based policy monitoring and enforcement on a mobile device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links