Component analysis of software applications on computing devices

US 9,407,443 B2
Filed: 12/03/2012
Issued: 08/02/2016
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a computing system to:

receive, by a first computing device, communications from a plurality of computing devices, the communications relating to at least one application being installed on the plurality of computing devices;

in response to receiving the communications, store, by a data repository, component data including at least one known behavioral characteristic for a component of the at least one application, and further including at least one known structural characteristic for the component of the at least one application;

for a first application to be installed on a second computing device, determine first components of the first application, wherein the first components are packaged within the first application at the time of installation;

identify, via at least one processor, at least one behavior associated with each of the first components;

prior to installing the first application on the second computing device, make a comparison of permissible behaviors for the first components with identified behaviors associated with the first components, the comparison comprising accessing the component data in the data repository, and the comparison further comprising comparing the at least one known structural characteristic to at least one structural characteristic of a component in the first application;

in response to identifying a disallowed behavior from the comparison, block installation of the first application on the second computing device; and

generate a notification when the at least one structural characteristic is determined to differ from the at least one known structural characteristic.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detection, identification, and control of application behavior dealing with malware, security risks, data privacy, or resource usage can be difficult in an era of complex, composite software applications composed of multiple components. Software applications are analyzed to determine their components and to identify the behaviors associated with each of the components. Components can also be analyzed with respect to similarity of previously known components. Behaviors can include use of personal identifying information or device information, or any actions that can be taken by applications on the device, including user interface displays, notifications, network communications, and file reading or writing actions. Policies to control or restrict the behavior of applications and their components may be defined and applied. In one embodiment this can include the identification of advertising networks and defining policies to permit various opt-out actions for these advertising networks.

450 Citations

25 Claims

1. A non-transitory computer-readable storage medium storing computer-readable instructions, which when executed, cause a computing system to:
- receive, by a first computing device, communications from a plurality of computing devices, the communications relating to at least one application being installed on the plurality of computing devices;
  
  in response to receiving the communications, store, by a data repository, component data including at least one known behavioral characteristic for a component of the at least one application, and further including at least one known structural characteristic for the component of the at least one application;
  
  for a first application to be installed on a second computing device, determine first components of the first application, wherein the first components are packaged within the first application at the time of installation;
  
  identify, via at least one processor, at least one behavior associated with each of the first components;
  
  prior to installing the first application on the second computing device, make a comparison of permissible behaviors for the first components with identified behaviors associated with the first components, the comparison comprising accessing the component data in the data repository, and the comparison further comprising comparing the at least one known structural characteristic to at least one structural characteristic of a component in the first application;
  
  in response to identifying a disallowed behavior from the comparison, block installation of the first application on the second computing device; and
  
  generate a notification when the at least one structural characteristic is determined to differ from the at least one known structural characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory computer-readable storage medium of claim 1, wherein the instructions further cause the computing system to present, on a user display of the second computing device, an identification of the first components.
  - 3. The non-transitory computer-readable storage medium of claim 1, wherein the instructions further cause the computing system to determine at least one behavioral preference of the user.
  - 4. The non-transitory computer-readable storage medium of claim 3, wherein the instructions further cause the computing system to store a user policy based at least in part on the at least one behavioral preference, and to enforce the user policy on a second application installed on the second computing device.
  - 5. The non-transitory computer-readable storage medium of claim 4, wherein the instructions further cause a component of the second application to execute in conformance with results from a query of a server.
  - 6. The non-transitory computer-readable storage medium of claim 1, wherein the instructions further cause the computing system to, in response to installing a second application on the second computing device, scan the second application to confirm compliance with a user policy of the user, the user policy stored on an identity server.
  - 7. The non-transitory computer-readable storage medium of claim 1, wherein the instructions further cause the computing system to enforce, based on identified behaviors associated with the first components, a user policy for components of a second application installed on the second computing device.
  - 8. The non-transitory computer-readable storage medium of claim 1, wherein the permissible behaviors are in a user policy stored on an identity server.
  - 9. The non-transitory computer-readable storage medium of claim 8, wherein the identified behaviors associated with the first components include behaviors observed for the first components on one or more computing devices other than the first computing device or the second computing device.

10. A system, comprising:
- a data repository storing component data for known components, the component data including a known behavioral characteristic for a first known component, and the component data further including known structural characteristics;
  
  at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  analyze a first application to determine components of the first application including a new component, the first application to be installed on a first computing device, and the new component corresponding to a behavior when executed on a computing device;
  
  perform a comparison of the new component to the component data, the performing comprising comparing the behavior of the new component to the known behavioral characteristic, and the performing further comprising comparing the known structural characteristics to identified characteristics of the new component;
  
  prior to installing the first application on the first computing device, make a determination based on the comparison that the new component corresponds to the first known component; and
  
  generate a notification when the identified characteristics are determined to differ from the known structural characteristics.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to, in response to the determination, perform at least one of:
    - comparing a first known behavior of the first known component to a user policy of a user of the first computing device;
      
      orcomparing an observed behavior of the new component to the user policy.
  - 12. The system of claim 10, wherein the component data further includes component identities, each component identity corresponding to respective identifying information for a known component.
  - 13. The system of claim 10, wherein the instructions are further configured to instruct the at least one processor to associate a similarity value with the comparison, and wherein the determination is made based on comparing the similarity value to a threshold value.
  - 14. The system of claim 10, wherein the comparison is based at least in part on a structure of the new component, and the structure is a packaging structure, a module structure, or an executable code structure.
  - 15. The system of claim 10, wherein the comparison is based at least in part on an executable code structure of the new component.
  - 16. The system of claim 10 , wherein the generating the notification comprises sending an alert to the first computing device.
  - 17. The system of claim 10, wherein installation of the first application on the first computing device is blocked in response to the determination.

18. A method, comprising:
- storing, in memory, component data for known components, the component data including a known behavioral characteristic for a first known component, the component data further including behavioral data including a set of behaviors, the set of behaviors comprising determining a location of a computing device;
  
  analyze a first application to determine components of the first application including a new component, the first application to be installed on a first computing device, and the new component corresponding to a behavior when executed in a second application on a second computing device, wherein each of a plurality of different applications includes the new component, and the new component corresponds to the set of behaviors when executed on a computing device;
  
  perform, via at least one processor, a comparison of the new component to the component data, the performing comprising comparing the behavior of the new component on the second computing device to the known behavioral characteristic; and
  
  prior to installing the first application on the first computing device, make a determination based on the comparison that the new component corresponds to the first known component, the determination based in part on a context of operation of the new component, the context comprising an accessing of location information.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method of claim 18, wherein the new component is code from the first application, or a library in the first application.
  - 20. The method of claim 18, wherein at least one computing device has been observed when running a respective one of the different applications, and the at least one computing device exhibits the set of behaviors.
  - 21. The method of claim 18, wherein the accessing of location information is performed while an application has a visible presence on a user display.
  - 22. The method of claim 21, wherein the component data further includes a plurality of contexts each associated with at least one acceptable behavior.
  - 23. The method of claim 18, wherein the component data further includes risk scores for known components, and the method further comprising providing a risk score in response to a query regarding an application to be installed on the first computing device.

24. A method, comprising:
- storing, in memory, a first application comprising computer-readable instructions, which when executed, cause a mobile device to;
  
  analyze a second application to determine components of the second application including a new component, the new component corresponding to a behavior when executed on a computing device other than the mobile device;
  
  perform a comparison of the new component to component data for known components, the component data including a known behavioral characteristic for a first known component, and further including at least one known structural characteristic, and the performing comprising comparing the behavior of the new component to the known behavioral characteristic, and the performing further comprising comparing the at least one known structural characteristic to at least one identified characteristic of the new component;
  
  make a determination based on the comparison that the new component corresponds to the first known component;
  
  in response to identifying a disallowed behavior from the comparison, alert the mobile device that the second application contains the disallowed behavior; and
  
  generate a notification when the at least one identified characteristic is determined to differ from the at least one known structural characteristic;
  
  sending, via at least one processor, over a communication network, the first application for storage in a data processing system for subsequent installation from the data processing system onto the mobile device.

25. A system, comprising:
- at least one processor; and
  
  memory storing a first application, which when executed on a mobile device, causes the mobile device to;
  
  analyze a second application to determine components of the second application including a new component, the new component corresponding to a behavior when executed on a computing device other than the mobile device;
  
  perform a comparison of the new component to component data for known components, the component data including a known behavioral characteristic for a first known component, and further including at least one known structural characteristic, and the performing comprising comparing the behavior of the new component to the known behavioral characteristic, and the performing further comprising comparing the at least one known structural characteristic to at least one identified characteristic of the new component;
  
  make a determination based on the comparison that the new component corresponds to the first known component;
  
  in response to identifying a disallowed behavior from the comparison, alert the mobile device that the second application contains the disallowed behavior; and
  
  generate a notification when the at least one identified characteristic is determined to differ from the at least one known structural characteristic;
  
  memory further storing instructions configured to instruct the at least one processor to send the first application to a data processing system so that the first application can be later installed, over a communication network, on the mobile device from the data processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Wyatt, Timothy Micheal, Mahaffey, Kevin, Halliday, Derek Joseph
Primary Examiner(s)
Tecklu, Isaac T
Assistant Examiner(s)
Luna, Roberto E

Application Number

US13/692,806
Publication Number

US 20130326476A1
Time in Patent Office

1,338 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 8/60   Software deployment

G06F 8/70   Software maintenance or man...

G06Q 30/0241   Advertisements

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 9/3247   involving digital signatures

Component analysis of software applications on computing devices

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

450 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Component analysis of software applications on computing devices

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

450 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links