Secure app-to-app communication

US 9,866,382 B2
Filed: 03/03/2014
Issued: 01/09/2018
Est. Priority Date: 12/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing, directly from a first mobile application of a mobile device to a second mobile application of the mobile device, a first encryption information associated with the first mobile application to establish encrypted information exchange, wherein the first encryption information is validated by a library associated with the second mobile application, wherein the library configures the second mobile application to respond with a second encryption information in the event the first mobile application is validated and not to respond with the second encryption information in the event the first mobile application is not validated;

in the event the first mobile application is validated, receiving the second encryption information associated with the second mobile application;

generating a shared encryption key based at least in part on the first encryption information and the second encryption information;

using the shared encryption key to encrypt data to be transferred from the first mobile application to the second mobile application;

determining whether a shared storage location with which to share data with the second mobile application exists;

in the event the shared storage location does not exist;

generating, by the first mobile application, the shared storage location with which to share data with the second mobile application; and

providing the encrypted data to the shared storage location;

in the event the shared storage location does exist, providing the encrypted data to the shared storage location; and

providing, from the first mobile application to the second mobile application, an identifier usable to retrieve data from the shared storage location, wherein the second mobile application is configured to retrieve the encrypted data from the shared storage location using the identifier.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure application-to-application communication is disclosed. A shared encryption key may be used to encrypt data to be transferred from a first mobile application to a second mobile application. The encrypted data is provided to a shared storage location. The second mobile application is configured to retrieve the encrypted data from the shared storage location.

38 Citations

View as Search Results

27 Claims

1. A method, comprising:
- providing, directly from a first mobile application of a mobile device to a second mobile application of the mobile device, a first encryption information associated with the first mobile application to establish encrypted information exchange, wherein the first encryption information is validated by a library associated with the second mobile application, wherein the library configures the second mobile application to respond with a second encryption information in the event the first mobile application is validated and not to respond with the second encryption information in the event the first mobile application is not validated;
  
  in the event the first mobile application is validated, receiving the second encryption information associated with the second mobile application;
  
  generating a shared encryption key based at least in part on the first encryption information and the second encryption information;
  
  using the shared encryption key to encrypt data to be transferred from the first mobile application to the second mobile application;
  
  determining whether a shared storage location with which to share data with the second mobile application exists;
  
  in the event the shared storage location does not exist;
  
  generating, by the first mobile application, the shared storage location with which to share data with the second mobile application; and
  
  providing the encrypted data to the shared storage location;
  
  in the event the shared storage location does exist, providing the encrypted data to the shared storage location; and
  
  providing, from the first mobile application to the second mobile application, an identifier usable to retrieve data from the shared storage location, wherein the second mobile application is configured to retrieve the encrypted data from the shared storage location using the identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein using the shared encryption key to encrypt the data comprises:
    - encrypting the data using the shared encryption key in a symmetric key encryption operation.
  - 3. The method of claim 1, wherein generating the shared encryption key comprises combining the first encryption information and second encryption information.
  - 4. The method of claim 3, wherein combining comprises combining the first encryption information and second encryption information using a binary XOR operation.
  - 5. The method of claim 1, wherein the receiving step includes:
    - receiving a request to open a uniform resource locator (URL) including the second encryption information;
      
      verifying that a source associated with the URL includes the second mobile application; and
      
      processing the URL to retrieve the second encryption information.
  - 6. The method of claim 1, further comprising:
    - storing one or more of the first encryption information, second encryption information, and shared encryption key at a secure storage location.
  - 7. The method of claim 1, wherein the first encryption information and second encryption information include public keys used in one or more of a Diffie-Hellman key exchange and an elliptic curve Diffie-Hellman key exchange.
  - 8. The method of claim 1, wherein the providing of the first encryption information associated with the first mobile application, receiving of the second encryption information associated with the second mobile application, and generating of the shared encryption key steps comprise one or more of a Diffie-Hellman key exchange and an elliptic curve Diffie-Hellman key exchange.
  - 9. The method of claim 1, further comprising:
    - determining that an encryption key expiration event has occurred; and
      
      initiating an encryption information exchange operation.
  - 10. The method of claim 1, wherein the shared storage location comprises a named pasteboard, andwherein the named pasteboard is associated with the identifier.
  - 11. The method of claim 1, wherein providing the identifier comprises:
    - using the shared encryption key to encrypt the identifier; and
      
      transferring the encrypted identifier from the first mobile application to the second mobile application.
  - 12. The method of claim 1, further comprising:
    - retrieving the encrypted data from the shared storage location at the second mobile application; and
      
      using the shared encryption key to decrypt the encrypted data.
  - 13. The method of claim 1, further comprising receiving the data at the first mobile application comprising a hub application.
  - 14. The method of claim 13, further comprising:
    - using a second shared encryption key to encrypt second data to be transferred from the first mobile application to a third mobile application; and
      
      providing the encrypted second data to a second shared storage location, wherein the third mobile application is configured to retrieve the encrypted second data from the second shared storage location.
  - 15. The method of claim 1, whereinusing the shared encryption information includes using the shared encryption key to encrypt data to be transferred from the first mobile application to a plurality of applications;
    - andproviding the encrypted data includes providing the encrypted data to a shared storage location accessible to the plurality of applications, wherein at least one application in the plurality of applications is configured to retrieve the encrypted data.
  - 16. The method of claim 1, wherein the identifier comprises a random name generated by the first mobile application.
  - 17. The method of claim 1, wherein the shared storage location comprises a named pasteboard, andwherein the shared storage location is generated at least in part by invoking a pasteboard generation class method.
  - 18. The method of claim 1, further comprising:
    - validating, by the second mobile application, the first mobile application; and
      
      in response to validating the first mobile application, retrieving, by the second mobile application, the encrypted data from the shared storage location.
  - 19. The method of claim 1, wherein at least one credential associated with the first mobile application is provided in addition to the first encryption information to the second mobile application.
  - 20. The method of claim 19, wherein the at least one credential associated with the first mobile application includes an application identifier associated with the first mobile application.
  - 21. The method of claim 19, wherein the at least one credential associated with the first mobile application includes a signature of an identifier associated with the first mobile application.
  - 22. The method of claim 1, wherein the second encryption information includes at least one credential associated with the second mobile application.
  - 23. The method of claim 1, wherein the first mobile application is a management agent and the second mobile application is a managed application.
  - 24. The method of claim 1, wherein the providing includes providing the first encryption information to the second mobile application using a uniform resource locator (URL) scheme associated with the second mobile application.

25. A system, comprising:
- a processor; and
  
  a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to;
  
  provide, directly from a first mobile application of the system to a second mobile application of the system, a first encryption information associated with the first mobile application to establish encrypted information exchange, wherein the first encryption information is validated by a library associated with the second mobile application, wherein the library configures the second mobile application to respond with a second encryption information in the event the first mobile application is validated and not to respond with the second encryption information in the event the first mobile application is not validated;
  
  in the event the first encryption information is validated, receive the second encryption information associated with the second mobile application;
  
  generate a shared encryption key based at least in part on the first encryption information and the second encryption information;
  
  use a shared encryption key to encrypt data to be transferred from the first mobile application to the second mobile application;
  
  determine whether a shared storage location with which to share data with the second mobile application exists;
  
  in the event the shared storage location does not exist;
  
  generate, by the first mobile application, the shared storage location with which to share data with the second mobile application;
  
  provide the encrypted data to the shared storage location;
  
  in the event the shared storage location does exist, providing the encrypted data to the shared storage location; and
  
  provide, from the first mobile application to the second mobile application, an identifier usable to retrieve data from the shared storage location, wherein the second mobile application is configured to retrieve the encrypted data from the shared storage location using the identifier.
- View Dependent Claims (26)
- - 26. The system of claim 25, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - encrypt the data using the shared encryption key in a symmetric key encryption operation.

27. A computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- providing, directly from a first mobile application of a mobile device to a second mobile application of the mobile device, a first encryption information associated with the first mobile application to establish encrypted information exchange, wherein the first encryption information is validated by a library associated with the second mobile application, wherein the library configures the second mobile application to respond with a second encryption information in the event the first mobile application is validated and not to respond with the second encryption information in the event the first mobile application is not validated;
  
  in the event the first encryption information is validated, receiving the second encryption information associated with the second mobile application;
  
  generating a shared encryption key based at least in part on the first encryption information and the second encryption information;
  
  using a shared encryption key to encrypt data to be transferred from the first mobile application to the second mobile application;
  
  determining whether a shared storage location with which to share data with the second mobile application exists;
  
  in the event the shared storage location does not exist;
  
  generating, by the first mobile application, a shared storage location with which to share data with the second mobile application; and
  
  providing the encrypted data to the shared storage location;
  
  in the event the shared storage location does exist, providing the encrypted data to the shared storage location; and
  
  providing, from the first mobile application to the second mobile application, an identifier usable to retrieve data from the shared storage location, wherein the second mobile application is configured to retrieve the encrypted data from the shared storage location using the identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ivanti, Inc. (Ivanti Software, Inc.)
Original Assignee
MobileIron, Inc.
Inventors
Wagner, Thomas Edward, Whiteman, Robert Elliott
Primary Examiner(s)
DO, KHANG D

Application Number

US14/195,727
Publication Number

US 20140177839A1
Time in Patent Office

1,408 Days
Field of Search

713166
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/30   Public key, i.e. encryption...

H04W 4/00   Services specially adapted ...

Secure app-to-app communication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure app-to-app communication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links