Policy-based runtime control of a software application

US 9,787,718 B2
Filed: 01/13/2015
Issued: 10/10/2017
Est. Priority Date: 01/02/2013
Status: Active Grant

First Claim

Patent Images

1. A method of policy-based runtime control of a software application, the method comprising:

a hardware-based processor of a computer system receiving a request to launch a software program comprised by an enhanced application,wherein the enhanced application further comprises;

security instructions that perform a security-related function associated with the software program; and

an application policy descriptor,wherein the application policy descriptor identifies a global policy and a security policy,wherein the global policy identifies conditions under which the software program is capable of being launched; and

wherein the security policy identifies the security instructions;

the processor requesting a latest valid policy descriptor from an enterprise server, wherein the latest valid policy descriptor identifies a latest valid version of the global policy and a latest valid version of the security policy;

the processor replacing, in the enhanced application, the application policy descriptor with the latest valid the policy descriptor;

the processor confirming that the latest valid version of global policy permits the software program to launch;

the processor launching the software program in response to the confirming; and

the processor running a set of security instructions identified by the latest valid version of the security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, process, and associated systems for policy-based development and runtime control of mobile applications. Security objects that describe or enforce security policies are embedded into the source code of an enhanced application while the application is being developed. When a user attempts to launch the enhanced application on a mobile device, the security objects are updated to match a latest valid version of the objects stored on an enterprise server. The security objects may be further updated at other times. Global security policies, which affect the entire enterprise and which may deny the application permission to launch, are enforced by a global security policy stored within one of the updated security objects. If the application does run, application-specific security policies contained in the updated security objects modify application behavior at runtime in order to enforce application-specific security policies.

27 Citations

View as Search Results

19 Claims

1. A method of policy-based runtime control of a software application, the method comprising:
- a hardware-based processor of a computer system receiving a request to launch a software program comprised by an enhanced application,wherein the enhanced application further comprises;
  
  security instructions that perform a security-related function associated with the software program; and
  
  an application policy descriptor,wherein the application policy descriptor identifies a global policy and a security policy,wherein the global policy identifies conditions under which the software program is capable of being launched; and
  
  wherein the security policy identifies the security instructions;
  
  the processor requesting a latest valid policy descriptor from an enterprise server, wherein the latest valid policy descriptor identifies a latest valid version of the global policy and a latest valid version of the security policy;
  
  the processor replacing, in the enhanced application, the application policy descriptor with the latest valid the policy descriptor;
  
  the processor confirming that the latest valid version of global policy permits the software program to launch;
  
  the processor launching the software program in response to the confirming; and
  
  the processor running a set of security instructions identified by the latest valid version of the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - the processor, prior to the requesting, determining that at least one component of the application policy descriptor does not match a corresponding component of the latest valid policy descriptor.
  - 3. The method of claim 1, wherein the security-related function comprises erasing data from a storage device.
  - 4. The method of claim 1, wherein the security-related function comprises two or more operations selected from a group comprising:
    - erasing data from a mobile device,securing stored data through encryption, access control, or other security mechanism,restricting an operation of the enhanced application at runtime,prompting a user for security credentials, andterminating the enhanced application;
      
      and wherein the restricting is selected from a group comprising;
      
      requiring a user to submit security credentials,authenticating a user'"'"'s submitted security credentials,denying the enhanced application access to data, andencrypting data that is processed by the enhanced application.
  - 5. The method of claim 1, further comprising:
    - the processor confirming, before requesting the latest valid policy descriptor, that the latest valid policy descriptor is current and valid.
  - 6. The method of claim 5, further comprising:
    - the processor, upon failing to confirm that the latest valid policy descriptor is current and valid, requesting the enterprise server to update the latest valid policy descriptor.
  - 7. The method of claim 1, further comprising:
    - the processor providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer system, wherein the computer-readable program code in combination with the computer system is configured to implement the receiving, requesting, confirming, launching, and running.

8. A computer program product, comprising a computer-readable hardware storage device having a computer-readable program code stored therein, said program code configured to be executed by a hardware-based processor of a computer system to implement a method of policy-based runtime control of a software application that comprises:
- the processor receiving a request to launch a software program comprised by an enhanced application,wherein the enhanced application further comprises;
  
  security instructions that perform a security-related function associated with the software program; and
  
  an application policy descriptor,wherein the application policy descriptor identifies a global policy and a security policy,wherein the global policy identifies conditions under which the software program is capable of being launched; and
  
  wherein the security policy identifies the security instructions;
  
  the processor requesting a latest valid policy descriptor from an enterprise server, wherein the latest valid policy descriptor identifies a latest valid version of the global policy and a latest valid version of the security policy;
  
  the processor replacing, in the enhanced application, the application policy descriptor with the latest valid the policy descriptor;
  
  the processor confirming that the latest valid version of global policy permits the software program to launch;
  
  the processor launching the software program in response to the confirming; and
  
  the processor running a set of security instructions identified by the latest valid version of the security policy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer program product of claim 8, further comprising:
    - the processor, prior to the requesting, determining that at least one component of the application policy descriptor does not match a corresponding component of the latest valid policy descriptor.
  - 10. The computer program product of claim 8, wherein the security-related function comprises erasing data from a storage device.
  - 11. The computer program product of claim 8, wherein the security-related function comprises two or more operations selected from a group comprising:
    - erasing data from a mobile device,securing stored data through encryption, access control, or other security mechanism,restricting an operation of the enhanced application at runtime,prompting a user for security credentials, andterminating the enhanced application;
      
      and wherein the restricting is selected from a group comprising;
      
      requiring a user to submit security credentials,authenticating a user'"'"'s submitted security credentials,denying the enhanced application access to data, andencrypting data that is processed by the enhanced application.
  - 12. The computer program product of claim 8, the method further comprising:
    - the processor confirming, before requesting the latest valid policy descriptor, that the latest valid policy descriptor is current and valid.
  - 13. The computer program product of claim 12, the method further comprising:
    - the processor, upon failing to confirm that the latest valid policy descriptor is current and valid, requesting the enterprise server to update the latest valid policy descriptor.

14. A security system comprising a hardware-based processor, a memory coupled to the processor, an interface between the processor and a mobile device, and a computer-readable hardware storage device coupled to the processor, the storage device containing program code configured to be run by the processor via the memory to implement a method of policy-based runtime control of a software application that comprises:
- the processor receiving a request to launch a software program comprised by an enhanced application,wherein the enhanced application further comprises;
  
  security instructions that perform a security-related function associated with the software program; and
  
  an application policy descriptor,wherein the application policy descriptor identifies a global policy and a security policy,wherein the global policy identifies conditions under which the software program is capable of being launched; and
  
  wherein the security policy identifies the security instructions;
  
  the processor requesting a latest valid policy descriptor from an enterprise server, wherein the latest valid policy descriptor identifies a latest valid version of the global policy and a latest valid version of the security policy;
  
  the processor replacing, in the enhanced application, the application policy descriptor with the latest valid the policy descriptor;
  
  the processor confirming that the latest valid version of global policy permits the software program to launch;
  
  the processor launching the software program in response to the confirming; and
  
  the processor running a set of security instructions identified by the latest valid version of the security policy.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The security system of claim 14, further comprising:
    - the processor, prior to the requesting, determining that at least one component of the application policy descriptor does not match a corresponding component of the latest valid policy descriptor.
  - 16. The security system of claim 14, wherein the security-related function comprises erasing data from a storage device.
  - 17. The security system of claim 14, wherein the security-related function comprises two or more operations selected from a group comprising:
    - erasing data from a mobile device,securing stored data through encryption, access control, or other security mechanism,restricting an operation of the enhanced application at runtime,prompting a user for security credentials, andterminating the enhanced application;
      
      and wherein the restricting is selected from a group comprising;
      
      requiring a user to submit security credentials,authenticating a user'"'"'s submitted security credentials,denying the enhanced application access to data, andencrypting data that is processed by the enhanced application.
  - 18. The security system of claim 14, the method further comprising:
    - the processor confirming, before requesting the latest valid policy descriptor, that the latest valid policy descriptor is current and valid.
  - 19. The security system of claim 18, the method further comprising:
    - the processor, upon failing to confirm that the latest valid policy descriptor is current and valid, requesting the enterprise server to update the latest valid policy descriptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Kapoor, Shalini, Kodeswaran, Palanivel A., Kumar, Udayan, Nandakumar, Vikrant
Primary Examiner(s)
Schwartz, Darren B

Application Number

US14/595,647
Publication Number

US 20150163247A1
Time in Patent Office

1,001 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/6281   at program execution time, ...

H04L 63/20   for managing network securi...

Policy-based runtime control of a software application

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based runtime control of a software application

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links