Secure configuration of mobile application

US 9,331,995 B2
Filed: 04/22/2014
Issued: 05/03/2016
Est. Priority Date: 04/23/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of configuring an application program of a mobile computing device, the method comprising:

establishing a secure network connection between the mobile computing device and a server computer system;

authenticating a user of the mobile computing device against the server computer system via the secure network connection;

receiving, at the server computer system, a configuration request via the secure network connection from the mobile computing device, the configuration request indicative of a user'"'"'s request for configuring the application program; and

in response to receiving the configuration request;

generating a challenge code;

sending the challenge code via the secure network connection to the mobile computing device;

encrypting configuration data using a symmetric key, wherein the symmetric key is the challenge code or the symmetric key is derived from the challenge code;

sending the configuration data in encrypted form via the secured network connection to the mobile computing device; and

sending a verification value from the server computer system to the mobile computing device either via an additional communication channel that is different from the secure network connection or as a separate communication over the same secure network connection, wherein the verification value is a hash-based message authentication code (HMAC) produced by applying a secure hash function to a combination of the configuration data with the challenge code,whereby the mobile computing device, in response to receiving the configuration data and the verification value, invokes a configuration program module to;

prompt the user to enter a challenge code via a user interface;

decrypt the configuration data in encrypted form upon entry of the challenge code via an input component of the mobile computing device;

verify the configuration data using the challenge code entered by the user and the verification value received via the additional communication channel; and

configure the application program using the configuration data in response to verification of the configuration data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure configuration of a mobile application (“app”) includes sending the required configuration data for the app to the user'"'"'s mobile computing device in a communication, for example an email with an attachment. A verification value is included in the attachment to protect the authenticity and integrity of the configuration data. A challenge code is issued to the user (or group of users). The challenge code is used to verify the configuration data.

Citations

18 Claims

1. A computer-implemented method of configuring an application program of a mobile computing device, the method comprising:
- establishing a secure network connection between the mobile computing device and a server computer system;
  
  authenticating a user of the mobile computing device against the server computer system via the secure network connection;
  
  receiving, at the server computer system, a configuration request via the secure network connection from the mobile computing device, the configuration request indicative of a user'"'"'s request for configuring the application program; and
  
  in response to receiving the configuration request;
  
  generating a challenge code;
  
  sending the challenge code via the secure network connection to the mobile computing device;
  
  encrypting configuration data using a symmetric key, wherein the symmetric key is the challenge code or the symmetric key is derived from the challenge code;
  
  sending the configuration data in encrypted form via the secured network connection to the mobile computing device; and
  
  sending a verification value from the server computer system to the mobile computing device either via an additional communication channel that is different from the secure network connection or as a separate communication over the same secure network connection, wherein the verification value is a hash-based message authentication code (HMAC) produced by applying a secure hash function to a combination of the configuration data with the challenge code,whereby the mobile computing device, in response to receiving the configuration data and the verification value, invokes a configuration program module to;
  
  prompt the user to enter a challenge code via a user interface;
  
  decrypt the configuration data in encrypted form upon entry of the challenge code via an input component of the mobile computing device;
  
  verify the configuration data using the challenge code entered by the user and the verification value received via the additional communication channel; and
  
  configure the application program using the configuration data in response to verification of the configuration data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein the configuration data comprises at least a uniform resource locater (URL) of an additional server computer system, the method further comprising, subsequent to configuration of the application program, steps of:
    - establishing an additional secure network connection between the configured application program on the mobile computing device and the additional server computer system using the URL contained in the configuration data;
      
      authenticating the user of the mobile computing device against the additional server computer system; and
      
      processing requests exchanged over the authenticated secure network connection between the configured application program on the mobile computing device and the additional server computer system.
  - 3. The computer-implemented method of claim 2, wherein the configuration data further comprises a port number of the additional server computer system, wherein establishing an additional secure network connection uses the port number.
  - 4. The computer-implemented method of claim 1, wherein the server computer system comprises a user registration database for storing user registration information, the user registration information comprising reference data for authenticating the user against the server computer system and an address for establishing an additional communication channel for sending the configuration data and the verification value to the mobile computing device, wherein in response to the configuration request and subsequent to a successful authentication of the user against the server computer system, the server computer system retrieves the address from the user registration database and sends the configuration data and verification value to the address via the additional communication channel.
  - 5. The computer-implemented method of claim 4, wherein either the address is an email address and the configuration data and the verification value are sent from the server computer system to the mobile computing device as an email message or the address is a telephone number of the mobile computing device and the configuration data and the verification value are sent from the server computer system to the mobile computing device as one or more SMS messages.
  - 6. The computer-implemented method of claim 1, wherein sending the challenge code via the secure network connection to the mobile computing device comprises sending one or more SMS messages.
  - 7. The computer-implemented method of claim 1 further comprising, in response to the configuration request and subsequent to a successful authentication of the user against the server computer system over a secure network connection:
    - retrieving the configuration data and the verification value; and
      
      sending a response to the configuration request via the same secure network connection to a browser program of the mobile computing device, the response comprising the configuration data, the verification value, and a redirect to a custom URL scheme that references the configuration program module,whereby the browser program executes the redirect to invoke the configuration program module.
  - 8. The computer-implemented method of claim 1, wherein the mobile computing device:
    - receives a first communication that includes the configuration data for the application program and the verification value, the verification value generated from a combination of the configuration data and the challenge code;
      
      receives the challenge code from the user of the mobile computing device;
      
      verifies authenticity of the configuration data using the challenge code from the user including generating a candidate verification value from a combination of the configuration data and the challenge code from the user, wherein the configuration data is deemed verified when the verification value received in the first communication matches the candidate verification value generated; and
      
      provides the configuration data to the application program in response to the configuration data being deemed verified.
  - 9. The computer-implemented method of claim 8, wherein the application program is a first application program, wherein a second application program in the mobile computing device, different from the first application program, performs the steps of receiving a challenge code and verifying authenticity of the configuration data,wherein providing the configuration data to the first application program includes the second application program communicating with the first application program,wherein providing the configuration data to the first application program includes the second application program storing the configuration data in a data file that can be accessed by the first application program,wherein the first application program uses the configuration data to establish and conduct communications with a server in response to the configuration data being deemed verified by the second application program.
  - 10. The computer-implemented method of claim 1, wherein the server computer system sends the configuration data and the verification value as an attachment in an email message.
  - 11. The computer-implemented method of claim 1, wherein the configuration data is used by a mobile application executing on the mobile computing device to establish and conduct communications with a server.

12. A server computer system comprising:
- a computer processor;
  
  a memory; and
  
  a data store having stored therein computer executable program code, which when executed by the computer processor, causes the computer processor to;
  
  establish a secure network connection between a mobile computing device and the server computer system;
  
  authenticate a user of the mobile computing device against the server computer system via the secure network connection;
  
  receive, at the server computer system, a configuration request via the secure network connection from the mobile computing device, the configuration request indicative of a user'"'"'s request for configuring the application program; and
  
  in response to receiving the configuration request;
  
  generate a challenge code by the server computer system;
  
  send the challenge code via the secure network connection to the mobile computing device;
  
  encrypt configuration data using a symmetric key, wherein the symmetric key is the challenge code or the symmetric key is derived from the challenge code;
  
  send the configuration data in encrypted form via the secured network connection to the mobile computing device; and
  
  send a verification value to the mobile computing device via an additional communication channel that is different from the secure network connection, or as a separate communication over the same secure network connection, wherein the verification value is a hash-based message authentication code (HMAC) produced by applying a secure hash function to a combination of the configuration data with the challenge code,whereby the mobile computing device, in response to receiving the configuration data and the verification value, invokes a configuration program module to;
  
  prompt the user to enter a challenge code via a user interface;
  
  decrypt the configuration data in encrypted form upon entry of the challenge code via an input component of the mobile computing device;
  
  verify the configuration data using the challenge code entered by the user and the verification value received via the additional communication channel; and
  
  configure the application program using the configuration data in response to verification of the configuration data.
- View Dependent Claims (13, 14, 15)
- - 13. The server computer system of claim 12, wherein the configuration data comprises at least a uniform resource locater (URL) of an additional server computer system, wherein the computer executable program code, which when executed by the computer processor, further causes the computer processor to perform actions subsequent to configuration of the application program, the actions including:
    - establishing an additional secure network connection between the mobile computing device and the additional server computer system using the URL contained in the configuration data;
      
      authenticating the user of the mobile computing device against the additional server computer system; and
      
      processing requests exchanged over the authenticated secure network connection between the configured application program on the mobile computing device and the additional server computer system.
  - 14. The server computer system of claim 12 further comprising a user registration database for storing user registration information, the user registration information comprising reference data for authenticating the user against the server computer system and an address for establishing an additional communication channel for sending the configuration data and the verification value to the mobile computing device, wherein in response to the configuration request and subsequent to a successful authentication of the user against the server computer system, the server computer system retrieves the address from the user registration database and sends the configuration data and verification value to the address via the additional communication channel.
  - 15. The server computer system of claim 12, wherein the computer executable program code, which when executed by the computer processor, further causes the computer processor to perform actions in response to the configuration request and subsequent to a successful authentication of the user over a secure network connection, the actions including:
    - retrieving the configuration data and the verification value; and
      
      sending a response to the configuration request via the same secure network connection to a browser program of the mobile computing device, the response comprising the configuration data, the verification value, and a redirect to a custom URL scheme that references the configuration program module,whereby the browser program executes the redirect to invoke the configuration program module.

16. A non-transitory computer readable storage medium having stored thereon computer executable code, which when executed by a computer causes the computer to:
- establish a secure network connection between a mobile computing device and a server computer system;
  
  authenticate a user of the mobile computing device against the server computer system via the secure network connection;
  
  receive, at the server computer system, a configuration request via the secure network connection from the mobile computing device, the configuration request indicative of a user'"'"'s request for configuring the application program; and
  
  in response to receiving the configuration request;
  
  generate a challenge code by the server computer system;
  
  send the challenge code via the secure network connection to the mobile computing device;
  
  encrypting configuration data using a symmetric key, wherein the symmetric key is the challenge code or the symmetric key is derived from the challenge code;
  
  sending the configuration data in encrypted form via the secured network connection to the mobile computing device; and
  
  send a verification value to the mobile computing device via an additional communication channel that is different from the secure network connection, or as a separate communication over the same secure network connection, wherein the verification value is a hash-based message authentication code (HMAC) produced by applying a secure hash function to a combination of the configuration data with the challenge code,whereby the mobile computing device, in response to receiving the configuration data and the verification value, invokes a configuration program module to;
  
  prompt the user to enter a challenge code via a user interface;
  
  decrypt the configuration data in encrypted form upon entry of the challenge code via an input component of the mobile computing device;
  
  verify the configuration data using the challenge code entered by the user and the verification value received via the additional communication channel; and
  
  configure the application program using the configuration data in response to verification of the configuration data.
- View Dependent Claims (17, 18)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the configuration data comprises at least a uniform resource locater (URL) of an additional server computer system, the non-transitory computer readable storage medium further having stored thereon computer executable code, which when executed by a computer causes the computer to perform actions subsequent to configuration of the application program including:
    - establishing an additional secure network connection between configured the application program on the mobile computing device and the additional server computer system using the URL contained in the configuration data;
      
      authenticating the user of the mobile computing device against the additional server computer system; and
      
      processing requests exchanged over the authenticated secure network connection between the configured application program on the mobile computing device and the additional server computer system.
  - 18. The non-transitory computer readable storage medium of claim 16 further having stored thereon computer executable code, which when executed by a computer causes the computer to perform actions in response to the configuration request and subsequent to a successful authentication of the user over a secure network connection, the actions including:
    - retrieving the configuration data and the verification value; and
      
      sending a response to the configuration request via the same additional secure network connection to a browser program of the mobile computing device, the response comprising the configuration data, the verification value, and a redirect to a custom URL scheme that references the configuration program module,whereby the browser program executes the redirect to invoke the configuration program module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Schneider, Juergen, El Khoury, Paul, Lechner, Sami
Primary Examiner(s)
Edwards, Linglan
Assistant Examiner(s)
Gracia, Gary

Application Number

US14/258,903
Publication Number

US 20140230031A1
Time in Patent Office

742 Days
Field of Search

726/6
US Class Current

1/1
CPC Class Codes

G06F 21/43   wireless channels

G06F 21/57   Certifying or maintaining t...

G06F 2221/2103   Challenge-response

G06F 8/61   Installation

H04L 63/08   for authentication of entit...

H04W 12/06   Authentication

H04W 12/106   Packet or message integrity

H04W 4/60   Subscription-based services...

Secure configuration of mobile application

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure configuration of mobile application

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links