Monitoring installed applications on user devices

US 9,992,025 B2
Filed: 04/15/2014
Issued: 06/05/2018
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a first signing identifier from a first computing device of a known source, wherein the first computing device is configured to send the first signing identifier to a third computing device;

accessing known component data stored in a data repository, the known component data comprising data regarding known characteristics for components of one or more prior applications installed on at least one user device, wherein the prior applications have been installed on the at least one user device by downloading from the third computing device;

after receiving the first signing identifier, evaluating, by a second computing device, authenticity of a first application comprising a plurality of components packaged within the first application, the evaluating including identifying at least one of the prior applications that is similar to the first application, and the similarity based on comparing a respective characteristic for each one or more of the plurality of components to the known component data;

causing, by the second computing device, an identification of the plurality of components in a user interface of at least one user device, wherein the user interface is configured to receive selection of a behavior based on the identification of the components;

identifying, based on the evaluating, at least one second application having a second signing identifier that is different from the first signing identifier, wherein the at least one second application is available for installation on at least one user device by downloading;

in response to identifying that the at least one second application is similar to the first application, sending a communication as a challenge to the first computing device to authenticate the known source as a signer for the at least one second application, wherein the challenge comprises sending data to the first computing device to be signed with a private key, receiving the signed data from the first computing device, and confirming the signed data corresponds to the first signing identifier;

sending, over a network, at least one communication to the first computing device that identifies the at least one second application, wherein the at least one communication includes the selected behavior; and

updating, based on an instruction from the first computing device, a policy to control behavior on at least one user device of the at least one second application, wherein the updated policy includes the selected behavior.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Software applications previously or currently being installed on a plurality of user devices are monitored. In one embodiment, a first set of the installed applications that is signed with a signing identifier of a developer are identified. A report is then sent to the developer that includes an identification of the first set. In another embodiment, the authenticity of a first application is evaluated including determining, based on a respective signing identifier for each of a plurality of applications, that the applications are similar to the first application. A notification is sent to the developer that identifies applications having a signing identifier that is different from the signing identifier of the developer.

Citations

17 Claims

1. A method, comprising:
- receiving a first signing identifier from a first computing device of a known source, wherein the first computing device is configured to send the first signing identifier to a third computing device;
  
  accessing known component data stored in a data repository, the known component data comprising data regarding known characteristics for components of one or more prior applications installed on at least one user device, wherein the prior applications have been installed on the at least one user device by downloading from the third computing device;
  
  after receiving the first signing identifier, evaluating, by a second computing device, authenticity of a first application comprising a plurality of components packaged within the first application, the evaluating including identifying at least one of the prior applications that is similar to the first application, and the similarity based on comparing a respective characteristic for each one or more of the plurality of components to the known component data;
  
  causing, by the second computing device, an identification of the plurality of components in a user interface of at least one user device, wherein the user interface is configured to receive selection of a behavior based on the identification of the components;
  
  identifying, based on the evaluating, at least one second application having a second signing identifier that is different from the first signing identifier, wherein the at least one second application is available for installation on at least one user device by downloading;
  
  in response to identifying that the at least one second application is similar to the first application, sending a communication as a challenge to the first computing device to authenticate the known source as a signer for the at least one second application, wherein the challenge comprises sending data to the first computing device to be signed with a private key, receiving the signed data from the first computing device, and confirming the signed data corresponds to the first signing identifier;
  
  sending, over a network, at least one communication to the first computing device that identifies the at least one second application, wherein the at least one communication includes the selected behavior; and
  
  updating, based on an instruction from the first computing device, a policy to control behavior on at least one user device of the at least one second application, wherein the updated policy includes the selected behavior.
- View Dependent Claims (2, 3, 4, 5, 16, 17)
- - 2. The method of claim 1, wherein the second computing device is a server, the first application has a first package identifier and a signing identifier, and the evaluating further includes comparing the first signing identifier to the signing identifier of the first application.
  - 3. The method of claim 1, further comprising receiving an indication of ownership in the first application from the first computing device, wherein the evaluating is further based on the indication of ownership in the first application.
  - 4. The method of claim 1, further comprising comparing a signing identifier of the first application to a signing key in a registry of known signing keys.
  - 5. The method of claim 4, wherein the registry comprises a plurality of package identifiers, each identifier associated with a respective one of the known signing keys, the method further comprising comparing a first package identifier of the first application to the plurality of package identifiers.
  - 16. The method of claim 1, further comprising causing display of a visual indication in a user interface of at least one user device, the visual indication indicating that the at least one second application is authentic.
  - 17. The method of claim 1, wherein the at least one second application is available for the installation on the at least one user device by downloading from the third computing device.

6. A method, comprising:
- receiving, over a network, from a first computing device of a known source, a signing identifier and an identification of a first application, wherein the first computing device is configured to send the signing identifier to a third computing device;
  
  monitoring, by a second computing device, installed applications on at least one user device, wherein the installed applications have been installed on the at least one user device by downloading from the third computing device;
  
  identifying, by the second computing device, a second application of the installed applications that is signed with the signing identifier and is similar to the first application, the similarity based on comparing a characteristic for at least one component of the second application to component data associated with the first application, and the identifying comprising accessing a data repository storing the component data;
  
  in response to identifying that the second application is similar to the first application, sending a communication as a challenge to the first computing device to authenticate the known source as a signer for the second application, wherein the challenge comprises sending data to the first computing device to be signed with a private key, receiving the signed data from the first computing device, and confirming the signed data corresponds to the signing identifier;
  
  causing, by the second computing device, an identification of the at least one component of the second application in a user interface of at least one user device, wherein the user interface is configured to receive selection of a behavior based on the identification of the at least one component;
  
  sending, over the network to the first computing device, at least one communication including the selected behavior and an identification of the second application; and
  
  updating, based on the identifying the second application, a policy to control behavior of at least one of the first application or the second application on at least one computing device, wherein the updated policy includes the selected behavior.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6, further comprising:
    - identifying a third application that is similar to the first application and that is signed both with the signing identifier and with at least one other certificate, wherein the at least one communication further includes an identification of the other certificate.
  - 8. The method of claim 6, wherein the identification of the first application identifies a known-good version of the first application, and the method further comprising:
    - identifying a fraudulent version of the first application based on the monitoring of the installed applications; and
      
      sending an alert to the first computing device that the fraudulent version was identified.
  - 9. The method of claim 6, further comprising:
    - identifying a third application that is similar to the first application;
      
      determining at least one market in which the first application can be marketed based on the identifying of the third application; and
      
      sending an identification of the at least one market to the first computing device.
  - 10. The method of claim 6, further comprising assessing a context in which the signing identifier is observed when the first application is signed.
  - 11. The method of claim 6, wherein the signing identifier is one of a certificate, a certificate thumbprint, a public key, a hash of a certificate, or a hash of a public key.

12. A system, comprising:
- at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive a signing identifier and an identification of a first application from a first computing device;
  
  receive, over a network, data regarding applications installed on user devices, wherein the installed applications have been installed on the user devices by downloading from a third computing device;
  
  determine components associated with the applications installed on the user devices, wherein a source of at least one of the components is indicated by a component identity;
  
  access component data stored in a data repository, the component data comprising data regarding a respective characteristic for each of the components;
  
  identify a first set of the applications installed on the user devices that are similar to the first application, the similarity based on comparing at least one component packaged within the first application to the component data, and the identifying further including comparing the component identity with an identification of the source;
  
  causing, in a user interface of at least one user device, an identification of the at least one component packaged within the first application, wherein the user interface is configured to receive selection of a behavior based on the identification of the at least one component;
  
  in response to identifying that the first set of installed applications are similar to the first application, send a communication as a challenge to the first computing device to authenticate the source as a signer for the first application, wherein the challenge comprises sending data to the first computing device to be signed with a private key, receiving the signed data from the first computing device, and confirming the signed data corresponds to the signing identifier;
  
  send, over the network, at least one communication to the first computing device that includes the selected behavior and identifies the first set of installed applications;
  
  receive permissions from the first computing device; and
  
  in response to identifying that the first set of installed applications are similar to the first application, update a policy for the first set based on the permissions, wherein the updated policy includes the selected behavior.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to analyze privacy issues for the first application, and generate a privacy assessment report for sending to the first computing device based on the privacy issues.
  - 14. The system of claim 12, wherein the instructions are further configured to instruct the at least one processor to check for harmful behavior of a new application to be installed on a user device, wherein the identifying of the first set is based in part on any identified harmful behavior of the new application.
  - 15. The system of claim 12, wherein the identifying the first set of the applications installed on the user devices comprises identifying applications having at least one of an identical package identifier, code similarity, identical strings, similar strings, identical media assets, or similar media assets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick, Wyatt, Timothy Micheal, Evans, Daniel Lee, Ong, Emil Barker, Strazzere, Timothy, LaMantia, Matthew John Joseph, Buck, Brian James
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
DHRUV, DARSHAN I

Application Number

US14/253,702
Publication Number

US 20150172060A1
Time in Patent Office

1,512 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3604   Software analysis for verif...

G06F 21/44   Program or device authentic...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 8/60   Software deployment

G06F 8/70   Software maintenance or man...

G06Q 30/0241   Advertisements

H04L 43/04   Processing captured monitor...

H04L 43/06   Generation of reports

H04L 9/3247   involving digital signatures

Monitoring installed applications on user devices

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring installed applications on user devices

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links