Validating the identity of an application for application management

US 9,838,398 B2
Filed: 01/26/2016
Issued: 12/05/2017
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

installing an application at a first location of a computing device, at least one token being embedded in the application;

storing, at a second location of the computing device and separately from the application, application metadata comprising at least one corresponding token, wherein each of the at least one corresponding token corresponds to one of the at least one token embedded in the application;

challenging the application to provide a response prior to granting the application access to a computing resource;

obtaining the at least one corresponding token from the application metadata stored at the computing device;

generating an expected response that is based, at least in part, on the at least one corresponding token obtained from the application metadata;

comparing the expected response to the response received from the application; and

either granting or denying the application access to the computing resource based on whether the expected response matches the response received.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing access to enterprise resources is provided. An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.

Citations

20 Claims

1. A computer-implemented method comprising:
- installing an application at a first location of a computing device, at least one token being embedded in the application;
  
  storing, at a second location of the computing device and separately from the application, application metadata comprising at least one corresponding token, wherein each of the at least one corresponding token corresponds to one of the at least one token embedded in the application;
  
  challenging the application to provide a response prior to granting the application access to a computing resource;
  
  obtaining the at least one corresponding token from the application metadata stored at the computing device;
  
  generating an expected response that is based, at least in part, on the at least one corresponding token obtained from the application metadata;
  
  comparing the expected response to the response received from the application; and
  
  either granting or denying the application access to the computing resource based on whether the expected response matches the response received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, wherein:
    - challenging the application to provide the response comprises challenging the application responsive to receipt, from the application, of a request to access the computing resource.
  - 3. The computer-implemented method of claim 1, wherein:
    - challenging the application to provide the response comprises challenging the application responsive to a launch of the application at the computing device.
  - 4. The computer-implemented method of claim 1, wherein:
    - generating the expected response comprises generating an expected application signature for the application.
  - 5. The computer-implemented method of claim 4, wherein:
    - generating the expected application signature further comprises obtaining at least one first corresponding token from the application metadata.
  - 6. The computer-implemented method of claim 5, wherein:
    - generating the expected application signature further comprises deriving at least one second token from the application.
  - 7. The computer-implemented method of claim 6, wherein:
    - deriving the at least one second token comprises hashing a component of the application.
  - 8. The computer-implemented method of claim 7, wherein:
    - the component comprises one of a binary of the application, an icon of the application, or a framework of the application.
  - 9. The computer-implemented method of claim 6, wherein:
    - generating the expected application signature further comprises arranging, in a predetermined order, the at least one first corresponding token and the at least one second token.
  - 10. The computer-implemented method of claim 4, further comprising:
    - providing a nonce to the application;
      
      wherein generating the expected response further comprises generating an expected hash value based on the application signature and the nonce; and
      
      wherein comparing the expected response to the response received from the application comprises comparing the expected hash value to a hash value received from the application.

11. A computer-implemented method comprising:
- receiving, at an application installed at a first location of a computing device, a challenge to provide a response prior to obtaining access to a computing resource;
  
  generating, by the application, a response that is based, at least in part, on a token embedded in the application;
  
  providing, by the application, the response for comparison to an expected response that has been generated based, at least in part, on a corresponding token obtained from application metadata stored at a second location of the computing device separately from the application installed at the computing device, wherein the corresponding token obtained from the application metadata corresponds to the token embedded in the application; and
  
  obtaining, by the application, access to the computing resource responsive to a determination that the expected response matches the response provided by the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer-implemented method of claim 11, wherein:
    - generating the response comprises generating, by the application, an application signature.
  - 13. The computer-implemented method of claim 12, wherein:
    - generating the application signature comprises extracting, by the application, the token embedded in the application.
  - 14. The computer-implemented method of claim 13, wherein:
    - generating the application signature comprises deriving at least one second token from the application.
  - 15. The computer-implemented method of claim 14 wherein:
    - deriving the at least one second token comprises hashing a component of the application; and
      
      the component comprises one of a binary of the application, an icon of the application, or a framework of the application.
  - 16. The computer-implemented method of claim 14, wherein:
    - generating the application signature comprises arranging, in a predetermined order, the token extracted from the application and at least one of the second tokens.
  - 17. The computer-implemented method of claim 12, further comprising:
    - receiving a nonce; and
      
      wherein generating the response further comprises generating a hash value based on the application signature and the nonce; and
      
      wherein providing the response for comparison to the expected response comprises providing the hash value to an expected hash value.

18. A computer-implemented method comprising:
- embedding a token in an application;
  
  providing, to a computing device for storage at a first location of the computing device, application metadata comprising a corresponding token that corresponds to the token embedded in the application;
  
  including, in the application, a management framework that configures the application to;
  
  (i) generate, in response to receiving a challenge, a response that is based, at least in part, on the token embedded in the application, and(ii) provide the response for comparison to an expected response that has been generated at the computing device based, at least in part, the corresponding token that has been obtained from the application metadata stored at the computing device; and
  
  providing the application to the computing device for installation at a second location of the computing device and separately from the application metadata.
- View Dependent Claims (19, 20)
- - 19. The computer-implemented method of claim 18, wherein:
    - the management framework configures the application to generate the response by generating an application signature based, at least in part, on the token embedded in the application.
  - 20. The computer-implemented method of claim 19, wherein:
    - the management framework configures the application to generate the application signature by extracting the token embedded in the application and arranging, in a predetermined order, the token extracted from the application and at least one second token derived from the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Barton, Gary, Lang, Zhongmin, Walker, James Robert
Primary Examiner(s)
Zee, Edward

Application Number

US15/006,348
Publication Number

US 20160142418A1
Time in Patent Office

679 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 2221/2103   Challenge-response

G06F 2221/2115   Third party

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

Validating the identity of an application for application management

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Validating the identity of an application for application management

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links