Controlling mobile device access to secure data
First Claim
1. A method, comprising:
- obtaining, by a mobile device, policy information via an access gateway through which a resource is accessible to a managed application of the mobile device, wherein the policy information defines that a private secure container and a shared secure container are to be used when the managed application is executing;
obtaining, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container;
configuring the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form, wherein the private secure container is private to the managed application, and wherein the shared secure container is shared with at least one other managed application of the mobile device;
intercepting a read or write operation from the managed application while the managed application is executing on the mobile device, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the mobile device, wherein the file system of the mobile device is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written;
determining, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and
based on the determining, redirecting the read or write operation to the private secure container or the shared secure container.
7 Assignments
0 Petitions
Accused Products
Abstract
Various aspects of the disclosure relate to providing secure containers or data vaults for data of one or more managed applications. In some embodiments, each managed application may be assigned its own private data vault and/or may be assigned a shared data vault that is accessible to at least one other managed application. As the managed application executes, calls for access to the data may be intercepted and redirected to the secure containers. Data stored in a secure container may be encrypted according to a policy. Other aspects relate to deleting data from a secure container, such as via a selective wipe of data associated with a managed application. Further aspects relate to configuring and creating the secure containers, retrieving key information required to encrypt/decrypt the data stored in the secure containers, and publishing the managed applications, policy information and key information for download to a mobile device.
425 Citations
20 Claims
-
1. A method, comprising:
-
obtaining, by a mobile device, policy information via an access gateway through which a resource is accessible to a managed application of the mobile device, wherein the policy information defines that a private secure container and a shared secure container are to be used when the managed application is executing; obtaining, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container; configuring the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form, wherein the private secure container is private to the managed application, and wherein the shared secure container is shared with at least one other managed application of the mobile device; intercepting a read or write operation from the managed application while the managed application is executing on the mobile device, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the mobile device, wherein the file system of the mobile device is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written; determining, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and based on the determining, redirecting the read or write operation to the private secure container or the shared secure container. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
at least one processor; and memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to; obtain policy information via an access gateway through which a resource is accessible to a managed application of the apparatus, wherein the policy information defines that a private secure container and a shared secure container are to be used when the managed application is executing; obtain, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container; configure the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form, wherein the private secure container is private to the managed application, and wherein the shared secure container is shared with at least one other managed application of the apparatus; intercept a read or write operation from the managed application while the managed application is executing on the apparatus, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the apparatus, wherein the file system of the apparatus is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written; determine, based on the policy information and the type of data to read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and based on the determining, redirect the read or write operation to the private secure container or the shared secure container. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. One or more non-transitory computer-readable media storing instructions configured to, when executed, cause a computing device to:
-
obtain policy information via an access gateway through which a resource is accessible to a managed application of the computing device, wherein the policy information defines that a private secure container and a shared secure container are to be used when the managed application is executing; obtain, via the access gateway, key information that includes one or more keys for encrypting or decrypting data of the private secure container or the shared secure container; configure the private secure container and the shared secure container based on the policy information, wherein the private secure container and the shared secure container are each a logical interface into which data is read from and written to in an encrypted form, wherein the private secure container is private to the managed application, and wherein the shared secure container is shared with at least one other managed application of the computing device; intercept a read or write operation from the managed application while the managed application is executing on the computing device, wherein the read or write operation comprises an application programming interface (API) call available via a file system of the computing device, wherein the file system of the computing device is different from both a file system of the private secure container and a file system of the shared secure container, and wherein the read or write operation indicates a type of data to be read or written; determine, based on the policy information and the type of data to be read or written, whether to redirect the read or write operation to the shared secure container or the private secure container; and based on the determining, redirect the read or write operation to the private secure container or the shared secure container. - View Dependent Claims (18, 19, 20)
-
Specification