Secure app ecosystem with key and data exchange according to enterprise information control policy

US 9,286,477 B2
Filed: 08/29/2012
Issued: 03/15/2016
Est. Priority Date: 08/29/2012
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for providing a secure ecosystem comprising at least a plurality of apps on a computing device, wherein the apps in the ecosystem securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem, the method comprising:

creating, by an ecosystem agent on the computing device, an ecosystem directory, the ecosystem directory containing an entry for each specific app in the ecosystem, each entry comprising policy information concerning the specific app and identification information concerning the specific app, wherein the ecosystem agent is an app in the ecosystem;

generating, by each specific ecosystem-ready app on the computing device, an asymmetric key pair, a public key of which the specific app shares only with apps in the ecosystem, and a private key of which the specific app does not share at all;

securely communicating data between apps in the ecosystem, such that the communicated data cannot be accessed from outside of the ecosystem without authorization from within the ecosystem;

wherein securely communicating data between apps in the ecosystem further comprises encrypting data with a first key by a providing app in the ecosystem, such that at least one receiving app in the ecosystem can decrypt the data with a second key;

reading, by a first ecosystem app, a public key of a second ecosystem app, from the ecosystem directory;

encrypting, by the first ecosystem app using the public key of the second ecosystem app, at least one from a group consisting of;

a message to securely communicate to the second ecosystem app and a data object to securely share with the second ecosystem app;

performing at least one from a group of steps consisting of;

communicating the encrypted message from the first ecosystem app to the second ecosystem app and sharing the encrypted data object with the second ecosystem app by the first ecosystem; and

decrypting, by the second ecosystem app, using a private key of the second ecosystem app, at least one from a group consisting of;

the communicated message and the data object; and

complying, by each specific app in the ecosystem, with enterprise information control policy.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Multiple apps of an ecosystem on a computer securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem. An ecosystem agent creates an ecosystem directory, which contains policy information and identification information concerning each specific app in the ecosystem, including the ecosystem agent. Each ecosystem app generates an asymmetric key pair, the public key of which it shares only with apps in the ecosystem through the directory. The ecosystem agent'"'"'s private key is used to encrypt the directory. Data is securely communicated between apps in the ecosystem, by encrypting and decrypting messages and data objects with the appropriate ecosystem app keys. Each specific app in the ecosystem complies with enterprise information control policy. Ecosystem apps can read a policy from the directory, and receive policy updates from the enterprise.

Citations

19 Claims

1. A computer implemented method for providing a secure ecosystem comprising at least a plurality of apps on a computing device, wherein the apps in the ecosystem securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem, the method comprising:
- creating, by an ecosystem agent on the computing device, an ecosystem directory, the ecosystem directory containing an entry for each specific app in the ecosystem, each entry comprising policy information concerning the specific app and identification information concerning the specific app, wherein the ecosystem agent is an app in the ecosystem;
  
  generating, by each specific ecosystem-ready app on the computing device, an asymmetric key pair, a public key of which the specific app shares only with apps in the ecosystem, and a private key of which the specific app does not share at all;
  
  securely communicating data between apps in the ecosystem, such that the communicated data cannot be accessed from outside of the ecosystem without authorization from within the ecosystem;
  
  wherein securely communicating data between apps in the ecosystem further comprises encrypting data with a first key by a providing app in the ecosystem, such that at least one receiving app in the ecosystem can decrypt the data with a second key;
  
  reading, by a first ecosystem app, a public key of a second ecosystem app, from the ecosystem directory;
  
  encrypting, by the first ecosystem app using the public key of the second ecosystem app, at least one from a group consisting of;
  
  a message to securely communicate to the second ecosystem app and a data object to securely share with the second ecosystem app;
  
  performing at least one from a group of steps consisting of;
  
  communicating the encrypted message from the first ecosystem app to the second ecosystem app and sharing the encrypted data object with the second ecosystem app by the first ecosystem; and
  
  decrypting, by the second ecosystem app, using a private key of the second ecosystem app, at least one from a group consisting of;
  
  the communicated message and the data object; and
  
  complying, by each specific app in the ecosystem, with enterprise information control policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19)
- - 2. The method of claim 1 wherein creating an ecosystem directory further comprises:
    - creating the ecosystem directory by the ecosystem agent at a location on the computing device, wherein the location of the ecosystem directory is based on a name of the ecosystem.
  - 3. The method of claim 1 wherein creating an ecosystem directory further comprises:
    - encrypting the ecosystem directory with the ecosystem agent'"'"'s private key, by the ecosystem agent, such that the ecosystem agent'"'"'s public key is needed to decrypt the ecosystem directory.
  - 4. The method of claim 1 wherein creating an ecosystem directory further comprises:
    - creating the ecosystem directory by the ecosystem agent such that the contained entry for each specific app in the ecosystem comprises at least
      
           1) a policy for the specific app,
      
           2) information enabling the specific app to obtain policy updates, and
      
           3) information concerning the specific app enabling other apps in the ecosystem to securely communicate encrypted data to the specific app.
  - 5. The method of claim 4 wherein the information concerning the specific app enabling other apps in the ecosystem to securely communicate encrypted data to the specific app further comprises:
    - a bundle identifier or package name of the specific app, an address of the specific app, a public key of the specific app, media types supported by the specific app, and a localized title of the specific app.
  - 6. The method of claim 1 wherein creating an ecosystem directory further comprises:
    - writing an entry to the ecosystem directory, by the ecosystem agent, the written entry comprising at least a policy for the ecosystem agent, information enabling the ecosystem agent to obtain policy updates, and information concerning the ecosystem agent enabling other apps in the ecosystem to securely communicate encrypted data to the ecosystem agent.
  - 7. The method of claim 1 further comprising:
    - generating at least one ecosystem-wide key, by the ecosystem agent; and
      
      using the at least one ecosystem-wide key to encrypt and decrypt public keys of the apps of the ecosystem, thereby preventing access of the public keys of the apps of the ecosystem from outside of the ecosystem.
  - 8. The method of claim 1 wherein securely communicating data between apps in the ecosystem further comprises:
    - encrypting, by the first ecosystem app, a message to securely communicate to a plurality of other ecosystem apps, using a private key of the first ecosystem app;
      
      communicating the encrypted message from the first ecosystem app to the plurality of other ecosystem apps;
      
      reading, by the plurality of other ecosystem apps, a public key of the first ecosystem app, from the ecosystem directory; and
      
      decrypting the message by the plurality of other ecosystem apps, using the public key of the first ecosystem app.
  - 9. The method of claim 1 wherein securely communicating data between apps in the ecosystem further comprises:
    - encrypting, by the first ecosystem app, a data object to securely share with a plurality of other ecosystem apps, using a private key of the first ecosystem app;
      
      sharing the encrypted data object with the plurality of other ecosystem apps, by the first ecosystem app;
      
      reading, by the plurality of other ecosystem apps, a public key of the first ecosystem app, from the ecosystem directory; and
      
      decrypting the data object by the plurality of other ecosystem apps, using the public key of the first ecosystem app.
  - 10. The method of claim 1 wherein complying, by each specific app in the ecosystem, with enterprise information control policy further comprises:
    - reading, by each specific app in the ecosystem, a policy for the specific app from the ecosystem directory; and
      
      complying, by each specific app in the ecosystem, with its policy.
  - 11. The method of claim 1 wherein complying, by each specific app in the ecosystem, with enterprise information control policy further comprises:
    - receiving at least one policy update from the enterprise, by at least one ecosystem app; and
      
      complying with the at least one policy update received from the enterprise, by the at least one ecosystem app.
  - 12. The method of claim 1 further comprising:
    - invoking the ecosystem agent with a request to join the ecosystem, by an app;
      
      validating a trust status of the invoking app, by the ecosystem agent; and
      
      responsive to successfully validating the invoking app as being trusted to join the ecosystem, adding the invoking app to the ecosystem, by the ecosystem agent.
  - 13. The method of claim 12 wherein adding the invoking app to the ecosystem further comprises:
    - writing, by the ecosystem agent, an entry to the ecosystem directory, the written entry comprising at least a policy for the invoking app, information enabling the invoking app to obtain policy updates, and information concerning the invoking app enabling other apps in the ecosystem to securely communicate encrypted data to the invoking app; and
      
      providing the ecosystem agent'"'"'s public key and the ecosystem-wide key to the invoking app, thereby enabling the invoking app to decrypt the ecosystem agent'"'"'s public key with the ecosystem-wide key, and to decrypt the directory with the ecosystem agent'"'"'s public key.
  - 14. The method of claim 13 further comprising:
    - validating a trust status of the ecosystem agent, by the invoking app;
      
      responsive to successfully validating the ecosystem agent as being trustworthy, decrypting the ecosystem agent'"'"'s public key with the ecosystem-wide key, and decrypting the directory with the ecosystem agent'"'"'s public key, by the invoking app;
      
      reading the directory by the invoking app;
      
      obtaining, by the invoking app, at least the invoking app'"'"'s policy from the directory; and
      
      complying, by the invoking app, with its policy.
  - 15. The method of claim 1 further comprising:
    - maintaining a listing of mappings between underlying media types and functionality for processing content in ecosystem specific encrypted formats based on the underlying media types; and
      
      using the listing to properly process the ecosystem specific encrypted messages and objects in the ecosystem specific encrypted formats based on the underlying media types.
  - 16. The method of claim 1 further comprising:
    - providing at least one component as a member of the ecosystem, wherein the at least one component is external to the computing device and provides at least one service to ecosystem apps;
      
      receiving at least a key pair and a policy from the enterprise, by each specific external component that is a member of the ecosystem; and
      
      complying, by each specific external component that is a member of the ecosystem, with its policy.
  - 19. The method of claim 1 further comprising:
    - downloading at least one of the plurality of apps in the ecosystem to the computing device from a remote source;
      
      wherein code to securely exchange encrypted data according to the information control policy of the enterprise without allowing unauthorized access from outside of the ecosystem is added to the at least one app prior to download, such that the added code changes default behaviors of the app and provides the steps of securely communicating data between apps in the ecosystem, and complying with enterprise information control policy.

17. At least one non-transitory computer readable medium for providing a secure ecosystem comprising at least a plurality of apps on a computing device, wherein the apps in the ecosystem securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem, the at least one non-transitory computer readable medium storing program code that, when loaded into computer memory and executed by a processor performs the following steps:
- creating, by an ecosystem agent on the computing device, an ecosystem directory, the ecosystem directory containing an entry for each specific app in the ecosystem, each entry comprising policy information concerning the specific app and identification information concerning the specific app, wherein the ecosystem agent is an app in the ecosystem;
  
  generating, by each specific ecosystem-ready app on the computing device, an asymmetric key pair, a public key of which the specific app shares only with apps in the ecosystem, and a private key of which the specific app does not share at all;
  
  securely communicating data between apps in the ecosystem, such that the communicated data cannot be accessed from outside of the ecosystem without authorization from within the ecosystem;
  
  wherein securely communicating data between apps in the ecosystem further comprises encrypting data with a first key by a providing app in the ecosystem, such that at least one receiving app in the ecosystem can decrypt the data with a second key;
  
  reading, by a first ecosystem app, a public key of a second ecosystem app, from the ecosystem directory;
  
  encrypting, by the first ecosystem app using the public key of the second ecosystem app, at least one from a group consisting of;
  
  a message to securely communicate to the second ecosystem app and a data object to securely share with the second ecosystem app;
  
  performing at least one from a group of steps consisting of;
  
  communicating the encrypted message from the first ecosystem app to the second ecosystem app and sharing the encrypted data object with the second ecosystem app by the first ecosystem; and
  
  decrypting, by the second ecosystem app, using a private key of the second ecosystem app, at least one from a group consisting of;
  
  the communicated message and the data object; and
  
  complying, by each specific app in the ecosystem, with enterprise information control policy.

18. A mobile computing device for providing a secure ecosystem comprising at least a plurality of mobile apps, wherein the mobile apps in the ecosystem securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem, the mobile computing device comprising:
- computer memory;
  
  at least one processor;
  
  a directory creating module residing in the computer memory, configured to create an ecosystem directory, the ecosystem directory containing an entry for each specific mobile app in the ecosystem, each entry comprising policy information concerning the specific mobile app and identification information concerning the specific mobile app;
  
  a key generating module residing in the computer memory, configured to generate, by each specific ecosystem-ready mobile app on the mobile computing device, an asymmetric key pair, a public key of which the specific mobile app shares only with mobile apps in the ecosystem, and a private key of which the specific mobile app does not share at all;
  
  a communicating module residing in the computer memory, configured to communicate data securely between mobile apps in the ecosystem, such that the communicated data cannot be accessed from outside of the ecosystem without authorization from within the ecosystem;
  
  wherein securely communicating data between mobile apps in the ecosystem further comprises encrypting data with a first key by a providing mobile app in the ecosystem, such that at least one receiving mobile app in the ecosystem can decrypt the data with a second key;
  
  reading, by a first ecosystem app, a public key of a second ecosystem app, from the ecosystem directory;
  
  encrypting, by the first ecosystem app using the public key of the second ecosystem app, at least one from a group consisting of;
  
  a message to securely communicate to the second ecosystem app and a data object to securely share with the second ecosystem app;
  
  performing at least one from a group of steps consisting of;
  
  communicating the encrypted message from the first ecosystem app to the second ecosystem app and sharing the encrypted data object with the second ecosystem app by the first ecosystem; and
  
  decrypting, by the second ecosystem app, using a private key of the second ecosystem app, at least one from a group consisting of;
  
  the communicated message and the data object; and
  
  a policy complying module residing in the computer memory, configured to comply, by each specific mobile app in the ecosystem, with enterprise information control policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., Enderwick, Thomas Jeffrey, McCorkendale, Bruce
Primary Examiner(s)
Brown, Christopher
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US13/598,248
Publication Number

US 20140068273A1
Time in Patent Office

1,294 Days
Field of Search

713189-193
US Class Current

1/1
CPC Class Codes

G06F 16/196   Specific adaptations of the...

G06F 21/604   Tools and structures for ma...

G06F 21/606   by securing the transmissio...

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

Secure app ecosystem with key and data exchange according to enterprise information control policy

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure app ecosystem with key and data exchange according to enterprise information control policy

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links