Hardware interface access control for mobile applications

US 8,918,841 B2
Filed: 08/31/2011
Issued: 12/23/2014
Est. Priority Date: 08/31/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

implementing a virtual interface capable of providing applications on a mobile device with access to any network interface in a set of network interfaces, the applications restricted from accessing the network interfaces without using the virtual interface, the virtual interface provided by a virtual private network client executing in a kernel layer of an operating system of the mobile device;

configuring, by the virtual private network client, the virtual interface to form a first virtual interface for a first application on the mobile device to cause a first network interface in the set of network interfaces to be made accessible to the first application, the first network interface being selected by the virtual private network client for the first application from the set of network interfaces based on an access permission associated with the first application and in response to detection of a query from the first application for a list of available network interfaces, the first network interface that is selected and made accessible to the first application via the first virtual interface being unknown to the first application; and

providing the first application with access to the first network interface via the first virtual interface after the virtual private network client has established a virtual private network connection with a first destination, the virtual private network client to establish the virtual private network connection in response to the detection of the query from the first application for the list of available network interfaces, wherein the first application executes in at least one of an application layer of the operating system different from the kernel layer of the operating system or in a network accessible by the mobile device, and the virtual private network client executes persistently in a background process.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, articles of manufacture, and apparatus for hardware interface access control for mobile applications are disclosed. A disclosed example method includes restricting an application from accessing a set of hardware interfaces of a mobile device, and providing a virtual interface to the application via which the application is to access a first hardware interface in the set of hardware interfaces, the virtual interface provided by a program in a kernel layer of an operating system of the mobile device to control at least one of access or a method of access to the first hardware interface in the set of hardware interfaces, the first hardware interface that is accessible via the virtual interface being unknown to the application.

107 Citations

17 Claims

1. A method comprising:
- implementing a virtual interface capable of providing applications on a mobile device with access to any network interface in a set of network interfaces, the applications restricted from accessing the network interfaces without using the virtual interface, the virtual interface provided by a virtual private network client executing in a kernel layer of an operating system of the mobile device;
  
  configuring, by the virtual private network client, the virtual interface to form a first virtual interface for a first application on the mobile device to cause a first network interface in the set of network interfaces to be made accessible to the first application, the first network interface being selected by the virtual private network client for the first application from the set of network interfaces based on an access permission associated with the first application and in response to detection of a query from the first application for a list of available network interfaces, the first network interface that is selected and made accessible to the first application via the first virtual interface being unknown to the first application; and
  
  providing the first application with access to the first network interface via the first virtual interface after the virtual private network client has established a virtual private network connection with a first destination, the virtual private network client to establish the virtual private network connection in response to the detection of the query from the first application for the list of available network interfaces, wherein the first application executes in at least one of an application layer of the operating system different from the kernel layer of the operating system or in a network accessible by the mobile device, and the virtual private network client executes persistently in a background process.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as defined in claim 1, further comprising:
    - providing a second virtual interface to a second application if the second application is permitted to access at least one of the network interfaces; and
      
      not providing the second virtual interface to the second application if the second application is not permitted to access any of the set of network interfaces.
  - 3. The method as defined in claim 1, further comprising:
    - providing a second virtual interface to a second application, the second virtual interface to be configured for the second application to cause a second network interface in the set of network interfaces to be selected and made accessible to the second application, the second network interface that is selected and made accessible to the second application via the second virtual interface being unknown to the second application, the second network interface being different from the first network interface.
  - 4. The method as defined in claim 1, wherein the first virtual interface corresponds to an endpoint of a virtual private network tunnel.
  - 5. The method as defined in claim 1, wherein the set of network interfaces includes network interfaces to respectively interface with a cellular network and a WiFi network.
  - 6. The method as defined in claim 1, further comprising monitoring the virtual private network connection with a virtual private network tap executing in the kernel layer of the operating system of the mobile device.

7. A tangible computer readable storage device comprising machine readable instructions that, when executed, cause a machine to perform operations comprising:
- implementing a virtual interface capable of providing applications with access to any network interface in a set of network interfaces, the applications restricted from accessing the network interfaces without using the virtual interface, the virtual interface provided by a virtual private network client executing in a kernel layer of an operating system of the mobile device;
  
  configuring the virtual interface to form a first virtual interface for a first application on the mobile device to cause a first network interface in the set of network interfaces to be made accessible to the first application, the first network interface to be selected for the first application from the set of network interfaces based on an access permission associated with the first application and in response to detection of a query from the first application for a list of available network interfaces, the first network interface that is selected and made accessible to the first application via the first virtual interface being unknown to the first application; and
  
  providing the first application with access to the first network interface via the first virtual interface after the virtual private network client has established a virtual private network connection with a first destination, the virtual private network client to establish the virtual private network connection in response to the detection of the query from the first application for the list of available network interfaces, wherein the application is to execute in at least one of an application layer of the operating system different from the kernel layer of the operating system or in a network accessible by the mobile device, and the virtual private network client is to execute persistently in a background process.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The tangible computer readable storage device as defined in claim 7, wherein the operations further comprise:
    - providing a second virtual interface to a second application if the second application is permitted to access at least one of the network interfaces; and
      
      not providing the second virtual interface to the second application if the second application is not permitted to access any of the set of network interfaces.
  - 9. The tangible computer readable storage device as defined in claim 7, wherein the operations further comprise:
    - providing a second virtual interface to a second application, the second virtual interface to be configured for the second application to cause a second network interface in the set of network interfaces to be selected and made accessible to the second application, the second network interface that is selected and made accessible to the second application via the second virtual interface being unknown to the second application, the second network interface being different from the first network interface.
  - 10. The tangible computer readable storage device as defined in claim 7, wherein the first virtual interface corresponds to an endpoint of a virtual private network tunnel.
  - 11. The tangible computer readable storage device as defined in claim 7, wherein the set of network interfaces includes network interfaces to interface respectively with a cellular network and a WiFi network.
  - 12. The tangible computer readable storage device as defined in claim 7, wherein the operations further comprise monitoring the virtual private network connection with a virtual private network tap executing in the kernel layer of the operating system of the mobile device.

13. A mobile device comprising:
- a set of network interfaces;
  
  a first memory having machine readable instructions stored thereon;
  
  a processor to execute the instructions to perform operations comprising;
  
  determining whether a first application on the mobile device is authorized to access any of the network interfaces in the set;
  
  implementing a virtual interface capable of providing applications with access to any network interface in the set of network interfaces, the virtual interface to be provided by a virtual private network client integrated in a kernel layer of an operating system of the mobile device;
  
  instantiating a first instance of the virtual interface for the first application, the first instance of the virtual interface to cause a first network interface in the set of network interfaces to be made accessible to the first application, the first network interface to be selected for the first application from the set of network interfaces based on an access permission associated with the first application and in response to detection of a query from the first application for a list of available network interfaces, the first network interface that is selected and made accessible to the first application via the first instance of the virtual interface being unknown to the first application, but being one of a first subset of network interfaces the first application is permitted to access; and
  
  providing the first application with access to the first network interface via the first instance of the virtual interface after the virtual private network client has established a virtual private network connection with a first destination, the virtual private network client to establish the virtual private network connection in response to the detection of the query from the first application for the list of available network interfaces, wherein the first application is to execute in at least one of an application layer of the operating system different from the kernel layer of the operating system or in a network accessible by the mobile device, and the virtual private network client is to execute persistently in a background process.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The mobile device as defined in claim 13, wherein the operations further comprise processing a digital certificate to determine whether the first application is authorized to access any of the network interfaces in the set.
  - 15. The mobile device as defined in claim 13, wherein the first instance of the virtual interface corresponds to an endpoint of a virtual private network tunnel established by the virtual private network client.
  - 16. The mobile device as defined in claim 13, wherein the set of network interfaces includes network interfaces to interface respectively with a cellular network and a WiFi network.
  - 17. The mobile device as defined in claim 13, wherein the operations further comprise monitoring the virtual private network connection with a virtual private network tap executing in the kernel layer of the operating system of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Chawla, Deepak, Muller, Urs A.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US13/222,184
Publication Number

US 20130055347A1
Time in Patent Office

1,210 Days
Field of Search

726/3, 726/16
US Class Current

726/3
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/53   by executing in a restricte...

G06F 21/85   interconnection devices, e....

H04L 63/0272   Virtual private networks

H04W 12/082   using revocation of authori...

H04W 12/084   using delegated authorisati...

H04W 88/06   adapted for operation in mu...

Hardware interface access control for mobile applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

107 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Hardware interface access control for mobile applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others