Secure configuration of mobile applications

US 9,075,978 B2
Filed: 04/23/2012
Issued: 07/07/2015
Est. Priority Date: 04/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed on a mobile computing device comprising:

generating, by a server system, configuration data for a first mobile application, wherein the configuration data includes data security encryption and decryption keys;

generating, by the server system a challenge code, and the mobile computing device receiving from the server system a server-generated challenge code via a user interface;

generating, by the server system a verification value using the challenge code and the configuration data, wherein the configuration data and the challenge code are encrypted and the resulting ciphers are combined;

receiving, by the mobile computing device from the server system, a first communication that includes configuration data and verification data different from the server-originated configuration data, wherein the verification data is generated from a combination of the configuration data and the server-generated challenge code, wherein the first communication comprises an email message having an attachment, and wherein the attachment comprises the configuration data and the verification data;

executing, for a user, the first mobile application and displaying an input box allowing the user to enter the challenge code previously provided to the user;

receiving, by the mobile computing device from the user of the mobile computing device, a user-provided challenge code, wherein the user receives the user-provided challenge code over a trusted communication channel different from a communication channel over which the mobile computing device receives the first communication;

verifying, by the mobile computing device, the authenticity of the configuration data received from the first communication using the user-provided challenge code, wherein verifying includes generating a candidate verification value from a combination of the configuration data and the user-provided challenge code and comparing the candidate verification value with the verification data received in the first communication, wherein the configuration data is deemed verified when the verification data received in the first communication matches the candidate verification value; and

when the configuration data is deemed verified, then configuring, by the mobile computing device, the first mobile application using the configuration data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure configuration of a mobile application (“app”) includes sending the required configuration data for the app to the user'"'"'s mobile computing device in a communication, for example an email with an attachment. A verification value is included in the attachment to protect the authenticity and integrity of the configuration data. A challenge code is issued to the user (or group of users). The challenge code is used to verify the configuration data.

36 Citations

View as Search Results

20 Claims

1. A method performed on a mobile computing device comprising:
- generating, by a server system, configuration data for a first mobile application, wherein the configuration data includes data security encryption and decryption keys;
  
  generating, by the server system a challenge code, and the mobile computing device receiving from the server system a server-generated challenge code via a user interface;
  
  generating, by the server system a verification value using the challenge code and the configuration data, wherein the configuration data and the challenge code are encrypted and the resulting ciphers are combined;
  
  receiving, by the mobile computing device from the server system, a first communication that includes configuration data and verification data different from the server-originated configuration data, wherein the verification data is generated from a combination of the configuration data and the server-generated challenge code, wherein the first communication comprises an email message having an attachment, and wherein the attachment comprises the configuration data and the verification data;
  
  executing, for a user, the first mobile application and displaying an input box allowing the user to enter the challenge code previously provided to the user;
  
  receiving, by the mobile computing device from the user of the mobile computing device, a user-provided challenge code, wherein the user receives the user-provided challenge code over a trusted communication channel different from a communication channel over which the mobile computing device receives the first communication;
  
  verifying, by the mobile computing device, the authenticity of the configuration data received from the first communication using the user-provided challenge code, wherein verifying includes generating a candidate verification value from a combination of the configuration data and the user-provided challenge code and comparing the candidate verification value with the verification data received in the first communication, wherein the configuration data is deemed verified when the verification data received in the first communication matches the candidate verification value; and
  
  when the configuration data is deemed verified, then configuring, by the mobile computing device, the first mobile application using the configuration data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein a second mobile application, different from the first mobile application, performs the steps of receiving the user-provided challenge code and verifying authenticity of the configuration data.
  - 3. The method of claim 2, wherein providing the configuration data to the first mobile application includes the second mobile application communicating with the first mobile application.
  - 4. The method of claim 2, wherein providing the configuration data to the first mobile application includes the second mobile application storing the configuration data in a data file that can be accessed by the first mobile application.
  - 5. The method of claim 1, wherein the first mobile application performs the steps of receiving a user-provided challenge code and verifying authenticity of the configuration data, and when the configuration data is deemed verified then the first mobile application uses the configuration data to establish and conduct communications with the server system.
  - 6. The method of claim 1, wherein the verification data in the first communication is a hash-based message authentication code (HMAC) produced by applying a secure hash function to a combination of the configuration data with the server-provided challenge code.
  - 7. The method of claim 1, wherein the configuration data is used by the first mobile application to establish and conduct communications with a server.
  - 8. The method of claim 1, wherein the mobile computing device is one of a plurality of mobile computing devices, wherein the server-provided challenge code is a single server-provided challenge code that is received by each of the plurality of mobile computing devices.
  - 9. The method of claim 1, wherein the mobile computing device is one of a plurality of mobile computing devices, wherein the server-provided challenge code is a single server-provided challenge code that is received by each of the plurality of mobile computing devices, and wherein the verification data is one verification value that is received by each of the plurality of mobile computing devices.
  - 10. The method of claim 1, wherein the user receives the user-provided challenge code over the trusted communication channel by directly interacting with the server system over an organization'"'"'s intranet.
  - 11. The method of claim 1, wherein another user receives the user-provided challenge code over the trusted communication channel by directly interacting with the server system over an organization'"'"'s intranet, and wherein the user receives the user-provided challenge code from the other user.

12. A system including a mobile computing device comprising:
- a data processor; and
  
  a data storage device having stored thereon computer executable program code,the computer executable program code, when executed by the data processor, causes the data processor to;
  
  generate, by a server system, configuration data for a first mobile application, wherein the configuration data includes data security encryption and decryption keys;
  
  generate, by the server system a challenge code, and receive from the server system by the mobile computing device a server-generated challenge code via a user interface;
  
  generate, by the server system a verification value using the challenge code and the configuration data, wherein the configuration data and the challenge code are encrypted and the resulting ciphers are combined;
  
  receive from the server system a first communication that includes configuration data and verification data different from the server-originated configuration data, wherein the verification data is generated from a combination of the configuration data and the server-generated challenge code, wherein the first communication comprises an email message having an attachment, and wherein the attachment comprises the configuration data and the verification data;
  
  execute, for a user, the first mobile application and displaying an input box allowing the user to enter the challenge code previously provided to the user;
  
  receive, from the user of the mobile computing device, a user-provided challenge code, wherein the user receives the user-provided challenge code over a trusted communication channel different from a communication channel over which the mobile computing device receives the first communication;
  
  verify the authenticity of the configuration data received from the first communication using the user-provided challenge code, wherein verifying includes generating a candidate verification value by applying the secure hash function to a combination of the configuration data and the user-provided challenge code and comparing the candidate verification value with the verification data received in the first communication, wherein the configuration data is deemed verified when the verification data received in the first communication matches the candidate verification value; and
  
  when the configuration data is deemed verified, then the mobile computing device configuring the first mobile application using the configuration data.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the computer executable program code is a second mobile application different from the first mobile application.
  - 14. The system of claim 13, wherein the second mobile application communicates with the first mobile application to provide the configuration data to the first mobile application.
  - 15. The system of claim 13, wherein the second mobile application stores the configuration data in a data file that can be accessed by the first mobile application.
  - 16. The system of claim 12, wherein the first mobile application comprises the computer executable program code.
  - 17. The system of claim 12, wherein the verification data in the first communication is a hash-based message authentication code (HMAC).
  - 18. The system of claim 12, wherein the configuration data is used by the first mobile application to establish and conduct communications with a server.

19. A non-transitory computer readable storage medium having stored thereon computer executable program code, which when executed by a mobile computing device, causes the computer to perform steps of:
- generating, by a server system, configuration data for a first mobile application, wherein the configuration data includes data security encryption and decryption keys;
  
  generating, by the server system a challenge code, and the mobile computing device receiving from the server system a server-generated challenge code via a user interface;
  
  generating, by the server system a verification value using the challenge code and the configuration data, wherein the configuration data and the challenge code are encrypted and the resulting ciphers are combined;
  
  receiving from the server system a first communication that includes configuration data and verification data different from the server-originated configuration data, wherein the verification data is generated from a combination of the configuration data and the server-generated challenge code, wherein the first communication comprises an email message having an attachment, and wherein the attachment comprises the configuration data and the verification data;
  
  executing, for a user, the first mobile application and displaying an input box allowing the user to enter the challenge code previously provided to the user;
  
  receiving from the user of the mobile computing device a user-provided challenge code, wherein the user receives the user-provided challenge code over a trusted communication channel different from a communication channel over which the mobile computing device receives the first communication;
  
  verifying the authenticity of the configuration data received from the first communication using the user-provided challenge code, wherein verifying includes generating a candidate verification value from a combination of the configuration data and the user-provided challenge code and comparing the candidate verification value with the verification data received in the first communication, wherein the configuration data is deemed verified when the verification data received in the first communication matches the candidate verification value; and
  
  when the configuration data is deemed verified, then configuring, by the mobile computing device, the first mobile application using the configuration data.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable storage medium of claim 19, wherein a second mobile application, different from the first mobile application, performs the steps of receiving the user-provided challenge code and verifying authenticity of the configuration data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Schneider, Juergen, Lechner, Sami, El Khoury, Paul
Primary Examiner(s)
Edwards, Linglan
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US13/453,221
Publication Number

US 20130283400A1
Time in Patent Office

1,170 Days
Field of Search

726/30, 726/4, 713/152, 713/169
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/335   for accessing specific reso...

G06F 21/35   communicating wirelessly

G06F 21/572   Secure firmware programming...

G06F 2221/2119   Authenticating web pages, e...

G06F 8/61   Installation

H04L 63/18   using different networks or...

H04W 12/02   Protecting privacy or anony...

H04W 12/06   Authentication

H04W 12/10   Integrity

H04W 12/35   Protecting application or s...

H04W 4/60   Subscription-based services...

Secure configuration of mobile applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure configuration of mobile applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links