Creating a virtual private network (VPN) for a single app on an internet-enabled device or system

US 8,990,920 B2
Filed: 05/01/2013
Issued: 03/24/2015
Est. Priority Date: 02/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method of implementing a dedicated, non-shared virtual private network (VPN) between an application executing on a device and a VPN gateway, the method comprising:

making a call to an operating system, the call being made by an app on the device;

re-directing the call to an app VPN-specific IP stack within the app making the call to the operating system, wherein said app VPN-specific IP stack builds one or more IP packets;

building one or more IP packets in the app VPN-specific IP stack;

encapsulating the one or more IP packets using IPsec in the app VPN-specific IP stack;

ensuring that only the app making the call to the operating system is utilizing the app VPN-specific IP stack to encapsulate the one or more IP packets, thereby preventing another app from using the dedicated, non-shared VPN; and

transmitting the encapsulated one or more IP packets from within the app to a transport module external to the app and in an operating system of the device for the purpose of transmission to an external VPN gateway, wherein the app VPN-specific IP stack is not integrated with the operating system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module.

32 Citations

View as Search Results

17 Claims

1. A method of implementing a dedicated, non-shared virtual private network (VPN) between an application executing on a device and a VPN gateway, the method comprising:
- making a call to an operating system, the call being made by an app on the device;
  
  re-directing the call to an app VPN-specific IP stack within the app making the call to the operating system, wherein said app VPN-specific IP stack builds one or more IP packets;
  
  building one or more IP packets in the app VPN-specific IP stack;
  
  encapsulating the one or more IP packets using IPsec in the app VPN-specific IP stack;
  
  ensuring that only the app making the call to the operating system is utilizing the app VPN-specific IP stack to encapsulate the one or more IP packets, thereby preventing another app from using the dedicated, non-shared VPN; and
  
  transmitting the encapsulated one or more IP packets from within the app to a transport module external to the app and in an operating system of the device for the purpose of transmission to an external VPN gateway, wherein the app VPN-specific IP stack is not integrated with the operating system.

2. A method comprising:
- receiving a first request from a first app running on a device to send first data;
  
  redirecting the first data to a first app virtual private network (VPN) Internet Protocol (IP) stack within the first app to generate a first plurality of IP packets, wherein said first app VPN IP stack builds a first one or more IP packets;
  
  encapsulating the first plurality of IP packets to form a first plurality of encapsulated IP packets, said encapsulating executed in the first app VPN IP stack for transmission using a first per-app VPN tunnel from the device to a VPN gateway;
  
  ensuring that only the first app is utilizing the first app VPN IP stack to encapsulate the first plurality of IP packets, thereby preventing another app from using the first per-app VPN tunnel;
  
  receiving a second request from a second app running on the device to send second data;
  
  redirecting the second data to a second app VPN IP stack within the second app to generate a second plurality of IP packets, wherein said second app VPN IP stack builds a second one or more IP packets;
  
  encapsulating the second plurality of IP packets to form a second plurality of encapsulated IP packets, said encapsulating executed in the second app VPN IP stack for transmission using a second per-app VPN tunnel from the device to the VPN gateway; and
  
  ensuring that only the second app is utilizing the second app VPN IP stack to encapsulate the second plurality of IP packets, thereby preventing another app from using the second per-app VPN tunnel.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
- - 3. The method of claim 2, wherein the first plurality of IP packets is encapsulated and provided to a system level User Data Protocol (UDP) module for transmission to the VPN gateway.
  - 4. The method of claim 2, wherein the first app is associated with a first per-app VPN IP stack residing in a first sandbox area.
  - 5. The method of claim 4, wherein the second app is associated with a second per-app VPN IP stack residing in a second sandbox area.
  - 6. The method of claim 5, wherein the first per-app VPN IP stack within the first app and the second per-app VPN IP stack within the second app share a system level UDP module.
  - 7. The method of claim 2, wherein the first plurality of encapsulated IP packets and the second plurality of encapsulated IP packets are transmitted to a VPN gateway using UDP.
  - 8. The method of claim 2, wherein the first plurality of encapsulated IP packets and the second plurality of encapsulated IP packets are transmitted to a VPN gateway using a Transmissions Control Protocol (TCP).
  - 9. The method of claim 2, wherein the first plurality of IP packets and the second plurality of IP packets are encapsulated using Internet Protocol Security (IPSec).
  - 10. The method of claim 2, wherein the first per-app VPN tunnel associated with the device has a different configuration profile from the second per-app VPN tunnel associated with the device.

11. A device comprising:
- an interface operable to receive a first request from a first app running on the device to send first data and to receive a second request from a second app running on the device to send second data, said interface functioning in an operating system of the device, external to the first app and the second app; and
  
  a processor operable to redirect the first data to a first app virtual private network (VPN) Internet Protocol (IP) stack within the first app making the first request to generate a first plurality of IP packets and to redirect the second data to a VPN second app IP stack within the second app making the second request to generate a second plurality of IP packets;
  
  wherein the first plurality of IP packets are encapsulated to form a first plurality of encapsulated IP packets for transmission using a first per-app VPN tunnel from the device to a VPN gateway and the second plurality of IP packets are encapsulated to form a second plurality of encapsulated IP packets for transmission using a second per-app VPN tunnel from the device to the VPN gateway.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The device of claim 11, wherein the first plurality of IP packets are encapsulated and provided to a device level User Data Protocol (UDP) module for transmission to the VPN gateway.
  - 13. The device of claim 12, wherein the first per-app VPN stack and the second per-app VPN stack share the device-level UDP module, external of the first stack and the second stack.
  - 14. The device of claim 11, wherein the first plurality of encapsulated IP packets and the second plurality of encapsulated IP packets are transmitted to the VPN gateway using UDP.
  - 15. The device of claim 11, wherein the first plurality of encapsulated IP packets and the second plurality of encapsulated IP packets are transmitted to the VPN gateway using a Transmissions Control Protocol (TCP).
  - 16. The device of claim 11, wherein the first plurality of IP packets and the second plurality of IP packets are encapsulated using Internet Protocol Security (IPSec).

17. A non-transitory computer readable medium comprising:
- computer code for receiving a first request from a first app running on a device to send first data;
  
  computer code for redirecting the first data to a first app VPN Internet Protocol (IP) stack, within the first app to generate a first plurality of IP packets, wherein said first app VPN IP stack builds a first one or more IP packets;
  
  computer code for encapsulating the first plurality of IP packets to form a first plurality of encapsulated IP packets, said encapsulating executed in the first app VPN IP stack, for transmission using a first per-app VPN tunnel from the device to the VPN gateway;
  
  computer code for ensuring that only the first app is utilizing the first app VPN IP stack to encapsulate the first plurality of IP packets, thereby preventing another app from using the first per-app VPN tunnel;
  
  computer code for receiving a second request from a second app running on the device to send second data;
  
  computer code for redirecting the second data to a second app VPN IP stack, within the second app, to generate a second plurality of IP packets;
  
  computer code for encapsulating the second plurality of IP packets to form a second plurality of encapsulated IP packets, said encapsulating executed in the first app VPN IP stack, for transmission using a second per-app VPN tunnel from the device to the VPN gateway; and
  
  computer code for ensuring that only the second app is utilizing the second app VPN IP stack to encapsulate the second plurality of IP packets, thereby preventing another app from using the second per-app VPN tunnel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Blue Cedar Networks, Inc.
Original Assignee
Mocana Corporation (DigiCert Incorporated)
Inventors
Pontillo, Michael Scott, Blaisdell, James, Dzeng, Shawn-Lin
Primary Examiner(s)
Okeke, Izunna

Application Number

US13/875,151
Publication Number

US 20130247147A1
Time in Patent Office

692 Days
Field of Search
US Class Current

726/15
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 41/0806   for initial configuration o...

H04L 63/0272   Virtual private networks

H04W 12/02   Protecting privacy or anony...

H04W 12/37   Managing security policies ...

Creating a virtual private network (VPN) for a single app on an internet-enabled device or system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Creating a virtual private network (VPN) for a single app on an internet-enabled device or system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others