Policy-based dynamic information flow control on mobile devices

US 9,253,210 B2
Filed: 03/01/2013
Issued: 02/02/2016
Est. Priority Date: 04/26/2012
Status: Active Grant

First Claim

Patent Images

1. A method operative on a mobile device to enforce an enterprise policy, the mobile device including a hardware element and being configured to execute both enterprise and personal applications, the enterprise policy configured to prevent enterprise data from being leaked to a personal application running in the mobile device, comprising:

receiving and storing in a data store an enterprise policy defining a permitted run-time execution context when multiple applications execute concurrently on the mobile device;

responsive to an application seeking access to enterprise data stored in the mobile device, retrieving the enterprise policy, together with a list of applications currently running on the mobile device;

determining, based at least in part on the list of applications currently running on the mobile device, whether the run-time execution context identified in the enterprise policy is satisfied;

when the run-time execution context identified in the enterprise policy is satisfied, releasing to the application sensory data captured from a user input to the mobile device and enabling the application to access the enterprise data;

wherein at least the determining step is carried out in software executing in a hardware element.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securing data on a mobile device that supports both enterprise and personal applications. According to the method, information flows and data accesses are tracked on the device at run-time to enable access control decisions to be performed based on a policy, such as an enterprise privacy policy that has been distributed to the device from an enterprise server. The policy may be updated by events at the device as well as at the enterprise server.

Citations

7 Claims

1. A method operative on a mobile device to enforce an enterprise policy, the mobile device including a hardware element and being configured to execute both enterprise and personal applications, the enterprise policy configured to prevent enterprise data from being leaked to a personal application running in the mobile device, comprising:
- receiving and storing in a data store an enterprise policy defining a permitted run-time execution context when multiple applications execute concurrently on the mobile device;
  
  responsive to an application seeking access to enterprise data stored in the mobile device, retrieving the enterprise policy, together with a list of applications currently running on the mobile device;
  
  determining, based at least in part on the list of applications currently running on the mobile device, whether the run-time execution context identified in the enterprise policy is satisfied;
  
  when the run-time execution context identified in the enterprise policy is satisfied, releasing to the application sensory data captured from a user input to the mobile device and enabling the application to access the enterprise data;
  
  wherein at least the determining step is carried out in software executing in a hardware element.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 further including:
    - receiving and storing a key; and
      
      using the key to encrypt the enterprise data.
  - 3. The method as described in claim 2 further including:
    - when the run-time execution context identified in the enterprise policy is satisfied, applying the key to decrypt the enterprise data; and
      
      providing the enterprise data to the application.
  - 4. The method as described in claim 1 further including updating the enterprise policy.
  - 5. The method as described in claim 4 wherein the enterprise policy is updated upon a trigger event at one of:
    - the mobile device, and an enterprise server.
  - 6. The method as described in claim 4 wherein the updating step includes executing an integrity check at the mobile device prior to permitting update to the enterprise policy.
  - 7. The method as described in claim 1 wherein the enterprise policy is one of:
    - a static policy that defines an attribute that must be verified before permitting the application to access the enterprise data, and a dynamic policy that defines a run-time behavior that must be satisfied before permitting the application to access the enterprise data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Muppidi, Sridhar R., Kodeswaran, Palanivel Andiappan, Mukherjea, Sougata, Nandakumar, Vikrant, Shalini, Kapoor
Primary Examiner(s)
BROWN, CHRISTOPHER J

Application Number

US13/781,823
Publication Number

US 20130291055A1
Time in Patent Office

1,068 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/20 for managing network securi...

H04W 12/086 using security domains

Policy-based dynamic information flow control on mobile devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based dynamic information flow control on mobile devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links