Secure mobile framework

US 9,467,475 B2
Filed: 05/01/2014
Issued: 10/11/2016
Est. Priority Date: 03/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a gateway, an authentication request from an initiating device to authenticate an end-user, an enterprise managed application, and the initiating device in order to establish a service connection between the enterprise managed application running on the initiating device and an enterprise service,wherein the authentication request includes authentication credentials associated with the end-user, a device identifier, and an indication of an application family governed by a common application family security policy such that applications in the application family share access to authorization and authentication information on a given device, for a given user; and

generating a framework authentication token having an expiration date and the common application family security policy, wherein the framework authentication token is generated using an amalgamated, unique representation of the credentials associated with the end-user, the device identifier, the application family, and a device type associated with the device identifier;

transmitting the framework authentication token and the common application family security policy to the initiating device,wherein upon receipt the initiating device initiates a service connection request based on the framework authentication token and the common application family security policy; and

wherein the service connection request includes a canonical name of the enterprise service;

receiving the service connection request from the initiating device;

mapping, upon successful validation of the service connection request, the canonical name of the enterprise service to an address associated with the enterprise service; and

creating a secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for a secure mobile framework to securely connect applications running on mobile devices to services within an enterprise are provided. Various embodiments provide mechanisms of securitizing data and communication between mobile devices and end point services accessed from a gateway of responsible authorization, authentication, anomaly detection, fraud detection, and policy management. Some embodiments provide for the integration of server and client side security mechanisms, binding of a user/application/device to an endpoint service along with multiple encryption mechanisms. For example, the secure mobile framework provides a secure container on the mobile device, secure files, a virtual file system partition, a multiple level authentication approach (e.g., to access a secure container on the mobile device and to access enterprise services), and a server side fraud detection system.

59 Citations

View as Search Results

23 Claims

1. A method comprising:
- receiving, at a gateway, an authentication request from an initiating device to authenticate an end-user, an enterprise managed application, and the initiating device in order to establish a service connection between the enterprise managed application running on the initiating device and an enterprise service,wherein the authentication request includes authentication credentials associated with the end-user, a device identifier, and an indication of an application family governed by a common application family security policy such that applications in the application family share access to authorization and authentication information on a given device, for a given user; and
  
  generating a framework authentication token having an expiration date and the common application family security policy, wherein the framework authentication token is generated using an amalgamated, unique representation of the credentials associated with the end-user, the device identifier, the application family, and a device type associated with the device identifier;
  
  transmitting the framework authentication token and the common application family security policy to the initiating device,wherein upon receipt the initiating device initiates a service connection request based on the framework authentication token and the common application family security policy; and
  
  wherein the service connection request includes a canonical name of the enterprise service;
  
  receiving the service connection request from the initiating device;
  
  mapping, upon successful validation of the service connection request, the canonical name of the enterprise service to an address associated with the enterprise service; and
  
  creating a secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21)
- - 2. The method of claim 1, wherein any data transmitted to the initiating device is stored within a secure container only accessible by the enterprise managed application.
  - 3. The method of claim 1, further comprising gathering information about the initiating device and the enterprise managed application.
  - 4. The method of claim 1, further comprising determining a policy that the initiating device should enact in managing the enterprise managed application.
  - 5. The method of claim 4, wherein the secure connection will not be created if the enterprise cannot verify the initiating device is enacting the policy.
  - 6. The method of claim 1, further comprising actively monitoring telemetry and configurations of the initiating device.
  - 7. The method of claim 1, wherein the secure connection has been terminated, and the method further comprising:
    - receiving, at the gateway, a second service connection request from the initiating device,wherein the second service connection request includes the framework authentication token;
      
      authenticating the device and end-user using the framework authentication token before establishing a second secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.
  - 21. The method of claim 1, wherein the secure connection is a secure channel such that the initiating device can communicate freely with the enterprise service.

8. A non-transitory computer-readable medium containing instructions that when executed by one or more processors cause a machine to:
- receive an authentication request from an initiating device to authenticate an end-user, an enterprise managed application, and the initiating device in order to establish a service connection between the enterprise managed application running on the initiating device and an enterprise service,wherein the authentication request includes authentication credentials associated with the end-user, a device identifier, and an indication of an application family governed by a common application family security policy such that applications in the application family share access to authorization and authentication information on a given device, for a given user;
  
  generate a framework authentication token having an expiration date and the common application family security policy, wherein the framework authentication token is generated using an amalgamated, unique representation of the credentials associated with the end-user, the device identifier, the application family, and a device type associated with the device identifier;
  
  transmit the framework authentication token and the common application family security policy to the initiating device;
  
  receive a service connection request from the initiating device based on the framework authentication token and the common application family security policy,wherein the service connection request includes a canonical name of the enterprise service;
  
  map, upon successful validation of the service connection request, the canonical name of the enterprise service to an address associated with the enterprise service; and
  
  map, upon successful validation of the service connection request, the canonical name of the enterprise service to an address associated with the enterprise service; and
  
  create a secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 22)
- - 9. The non-transitory computer-readable medium of claim 8, wherein any data transmitted to the initiating device is stored within a secure container only accessible by the enterprise managed application.
  - 10. The non-transitory computer-readable medium of claim 8, wherein the instructions that when executed by the one or more processors further cause the machine to gather information about the initiating device and the enterprise managed application.
  - 11. The non-transitory computer-readable medium of claim 8, wherein the instructions that when executed by the one or more processors further cause the machine to determine a policy that the initiating device should enact in managing the enterprise managed application.
  - 12. The non-transitory computer-readable medium of claim 11, wherein the secure connection will not be created if the enterprise cannot verify the initiating device is enacting the policy.
  - 13. The non-transitory computer-readable medium of claim 8, wherein the instructions that when executed by the one or more processors further cause the machine to actively monitoring telemetry and configurations of the initiating device.
  - 14. The non-transitory computer-readable medium of claim 8, wherein the secure connection has been terminated, and the instructions that when executed by the one or more processors further cause the machine to:
    - receive a second service connection request from the initiating device,wherein the second service connection request includes the framework authentication token;
      
      authenticate the device and end-user using the framework authentication token before establishing a second secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.
  - 22. The non-transitory computer-readable medium of claim 8, wherein the secure connection is a secure channel such that the initiating device can communicate freely with the enterprise service.

15. A system comprising:
- means for receiving an authentication request from an initiating device to authenticate an end-user, an enterprise managed application, and the initiating device in order to establish a service connection between the enterprise managed application running on the initiating device and an enterprise service,wherein the authentication request includes authentication credentials associated with the end-user, a device identifier, and an indication of an application family governed by a common application family security policy such that applications in the application family share access to authorization and authentication information on a given device, for a given user;
  
  means for generating a framework authentication token having an expiration date and the common application family security policy, wherein the framework authentication token is generated using an amalgamated, unique representation of the credentials associated with the end-user, the device identifier, the application family, and a device type associated with the device identifier;
  
  means for transmitting the framework authentication token and the common application family security policy to the initiating device;
  
  means for receiving a service connection request from the initiating device based on the framework authentication token and the common application family security policy,wherein the service connection request includes a canonical name of the enterprise service;
  
  means for mapping, upon successful validation of the service connection request, the canonical name of the enterprise service to an address associated with the enterprise service; and
  
  means for creating a secure connection between the enterprise service and the initiating device using the address associated with the enterprise service.
- View Dependent Claims (16, 17, 18, 19, 20, 23)
- - 16. The system of claim 15, wherein any data transmitted to the initiating device is stored within a secure container only accessible by the enterprise managed application.
  - 17. The system of claim 15, further comprising a means for gathering information about the initiating device and the enterprise managed application.
  - 18. The system of claim 15, further comprising a means for determining a policy that the initiating device should enact in managing the enterprise managed application.
  - 19. The system of claim 18, wherein the secure connection will not be created if the enterprise cannot verify the initiating device is enacting the policy.
  - 20. The system of claim 15, further comprising actively monitoring telemetry and configurations of the initiating device.
  - 23. The system of claim 15, wherein the secure connection is a secure channel such that the initiating device can communicate freely with the enterprise service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Synchronoss Technologies Incorporated
Original Assignee
SNCR, LLC
Inventors
Faltyn, Daniel, Smith, Andrew J. R.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BELL, KALISH K

Application Number

US14/267,346
Publication Number

US 20140245377A1
Time in Patent Office

894 Days
Field of Search

709/203, 709/225, 709/229, 726/1, 726/2, 726/3, 726/27
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Secure mobile framework

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Secure mobile framework

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links