Modifying pre-existing mobile applications to implement enterprise security policies

US 9,143,529 B2
Filed: 10/10/2012
Issued: 09/22/2015
Est. Priority Date: 10/11/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

disassembling, by a computing device, executable code of a mobile application associated with an enterprise into disassembled code;

analyzing, by the computing device, the disassembled code;

modifying, by the computing device, the disassembled code to add new code that causes the mobile application to;

detect that the mobile application is being used within a pre-defined time window;

detect a request by the mobile application to access a site not associated with the enterprise; and

add one or more headers to the request that cause the request to be sent via an application tunnel to a content-filtering device configured to;

determine whether the site not associated with the enterprise is authorized for access within the pre-defined time window;

strip the one or more headers from the request responsive to determining that the site not associated with the enterprise is authorized for access; and

after stripping the one or more headers from the request, forward the request to the site not associated with the enterprise;

obfuscating at least a portion of the new code to inhibit reverse engineering of the new code; and

rebuilding the mobile application using the modified disassembled code.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.

482 Citations

27 Claims

1. A method comprising:
- disassembling, by a computing device, executable code of a mobile application associated with an enterprise into disassembled code;
  
  analyzing, by the computing device, the disassembled code;
  
  modifying, by the computing device, the disassembled code to add new code that causes the mobile application to;
  
  detect that the mobile application is being used within a pre-defined time window;
  
  detect a request by the mobile application to access a site not associated with the enterprise; and
  
  add one or more headers to the request that cause the request to be sent via an application tunnel to a content-filtering device configured to;
  
  determine whether the site not associated with the enterprise is authorized for access within the pre-defined time window;
  
  strip the one or more headers from the request responsive to determining that the site not associated with the enterprise is authorized for access; and
  
  after stripping the one or more headers from the request, forward the request to the site not associated with the enterprise;
  
  obfuscating at least a portion of the new code to inhibit reverse engineering of the new code; and
  
  rebuilding the mobile application using the modified disassembled code.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein modifying the disassembled code comprises adding functionality that causes the mobile application to use an encryption library to encrypt data stored on a mobile device.
  - 3. The method of claim 1, further comprising replacing a reference in the mobile application to a general launcher of an operating system of a mobile device with a reference to a secure launcher application installed on the mobile device, to thereby cause the mobile application to use the secure launcher application instead of the general launcher of the operating system of the mobile device, wherein the secure launcher application implements at least one enterprise security policy of the enterprise.
  - 4. The method of claim 1, further comprising modifying a reference in the mobile application to cause the mobile application to run in a secure virtual machine that is separate from an operating system virtual machine.
  - 5. The method of claim 1, comprising:
    - signing the rebuilt mobile application using a digital certificate.

6. Non-transitory computer-readable media storing computer-readable instructions that, when executed by a processor, cause a device to:
- disassemble executable code of a mobile application associated with an enterprise into disassembled code;
  
  analyze the disassembled code;
  
  modify the disassembled code to add new code that causes the mobile application to;
  
  detect that the mobile application is being used within a pre-defined time window;
  
  detect a request by the mobile application to access a site not associated with the enterprise; and
  
  add one or more headers to the request that cause the request to be sent via an application tunnel to a content-filtering device configured to;
  
  determine whether the site not associated with the enterprise is authorized for access within the pre-defined time window;
  
  strip the one or more headers from the request responsive to determining that the site not associated with the enterprise is authorized for access; and
  
  after stripping the one or more headers from the request, forward the request to the site not associated with the enterprise;
  
  obfuscate at least a portion of the new code to inhibit reverse engineering of the new code; and
  
  rebuild the mobile application using the modified disassembled code.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 7. The non-transitory computer-readable media of claim 6, wherein modifying the disassembled code comprises adding functionality that causes the mobile application to use an encryption library to encrypt data stored on a mobile device.
  - 8. The non-transitory computer-readable media of claim 6, wherein modifying the disassembled code to add the new code comprises adding functionality that causes a prompt for entry of a passcode to be displayed when the mobile application is launched.
  - 9. The non-transitory computer-readable media of claim 6, wherein modifying the disassembled code comprises disabling cut-and-paste functionality.
  - 10. The non-transitory computer-readable media of claim 6, wherein modifying the disassembled code comprises adding code that enables the enterprise to remotely initiate deletion of data associated with the mobile application from a mobile device.
  - 11. The non-transitory computer-readable media of claim 6, wherein the computer-readable instructions, when executed by the processor, further cause the device to replace a reference in the mobile application to a general launcher of an operating system of a mobile device with a reference to a secure launcher application installed on the mobile device, to thereby cause the mobile application to use the secure launcher application instead of the general launcher of the operating system of the mobile device, wherein the secure launcher application implements at least one enterprise security policy of the enterprise.
  - 12. The non-transitory computer-readable media of claim 6, wherein the computer-readable instructions, when executed by the processor, further cause the device to modify a reference in the mobile application to cause the mobile application to run in a secure virtual machine that is separate from an operating system virtual machine.
  - 13. The non-transitory computer-readable media of claim 6, wherein analyzing the disassembled code comprises checking for behaviors by the mobile application that represent potential security risks to the enterprise.
  - 14. The non-transitory computer-readable media of claim 13, wherein checking for behaviors that represent potential security risks comprises:
    - generating a hash of at least a portion of the mobile application;
      
      comparing the hash to a library of hashes that are associated with known malware; and
      
      terminating the modifying of the disassembled code in response to finding a match between the hash and the library of hashes.
  - 15. The non-transitory computer-readable media of claim 13, wherein checking for behaviors that represent potential security risks comprises:
    - inspecting one or more application programming interface calls by the mobile application for suspicious activity;
      
      generating a risk score based on the suspicious activity; and
      
      terminating the modifying of the disassembled code in response to the risk score being greater than a threshold.
  - 16. The non-transitory computer-readable media of claim 15, wherein checking for behaviors that represent potential security risks further comprises:
    - generating a report of the suspicious activity; and
      
      prompting an administrator to indicate whether the modifying of the disassembled code should proceed.
  - 17. The non-transitory computer-readable media of claim 6, wherein the computer-readable instructions, when executed by the processor, further cause the device to generate a score representing a level of risk associated with the mobile application, the score being based at least partly on the analyzing of the disassembled code.
  - 18. The non-transitory computer-readable media of claim 6, storing computer-readable instructions that, when executed by the processor, cause the device to:
    - determine an identifier of the mobile application; and
      
      select a dedicated application tunnel that is exclusively dedicated for use by the mobile application,wherein the request to be sent via the application tunnel to the content-filtering device is sent via the dedicated application tunnel that is exclusively dedicated for use by the mobile application.
  - 19. The non-transitory computer-readable media of claim 6, storing computer-readable instructions that, when executed by the processor, cause the device to:
    - modify the disassembled code to add new code that causes the mobile application to store data used by the mobile application in a secure document container on a mobile device running the application, the secure document container comprising a file system configured to securely store enterprise data on the mobile device, such that the enterprise data stored in the secure document container can be deleted without modifying private data stored on the mobile device outside of the secure document container.
  - 20. The non-transitory computer-readable media of claim 6, storing computer-readable instructions that, when executed by the processor, cause the device to:
    - map the executable code of the mobile application; and
      
      modify a manifest of the mobile application to include a description of one or more new behaviors implemented by the new code.
  - 21. The non-transitory computer-readable media of claim 6, storing computer-readable instructions that, when executed by the processor, cause the device to:
    - add at least one new library to the mobile application, the at least one new library being used by the new code,wherein rebuilding the mobile application using the modified disassembled code comprises including the at least one new library in a rebuilt mobile application.

22. A system comprising:
- a device comprising;
  
  one or more first processors; and
  
  first non-transitory memory storing first computer-readable instructions that, when executed by the one or more first processors, cause the device to;
  
  disassemble executable code of a mobile application associated with an enterprise into disassembled code;
  
  analyze the disassembled code;
  
  modify the disassembled code to add new code that causes the mobile application to;
  
  detect that the mobile application is being used within a pre-defined time window;
  
  detect a request by the mobile application to access a site not associated with the enterprise; and
  
  add one or more headers to the request by the mobile application that cause the request to be sent via an application tunnel to a content-filtering server;
  
  obfuscate at least a portion of the new code to inhibit reverse engineering of the new code; and
  
  rebuild the mobile application using the modified disassembled code; and
  
  the content-filtering server, comprising;
  
  one or more second processors; and
  
  second non-transitory memory storing second computer-readable instructions that, when executed by the one or more second processors, cause the content-filtering server to;
  
  receive the request by the mobile application to access the site not associated with the enterprise;
  
  inspect the request;
  
  determine whether the site not associated with the enterprise is authorized for access within the pre-defined time window;
  
  strip the one or more headers from the request responsive to determining that the site not associated with the enterprise is authorized for access within the pre-defined time window; and
  
  after stripping the one or more headers from the request, forward the request to the site not associated with the enterprise.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22, wherein modifying the disassembled code comprises adding functionality that causes the mobile application to use an encryption library to encrypt data stored on a mobile device.
  - 24. The system of claim 22, wherein modifying the disassembled code comprises adding code that enables the enterprise to remotely initiate deletion of data associated with the mobile application from a mobile device.
  - 25. The system of claim 22, wherein the first computer-readable instructions, when executed by the one or more first processors, further cause the device to replace a reference in the mobile application to a general launcher of an operating system of a mobile device with a reference to a secure launcher application installed on the mobile device, to thereby cause the mobile application to use the secure launcher application instead of the general launcher of the operating system of the mobile device, wherein the secure launcher application implements at least one enterprise security policy of the enterprise.
  - 26. The system of claim 22, wherein the first computer-readable instructions, when executed by the one or more first processors, further cause the device to modify a reference in the mobile application to cause the mobile application to run in a secure virtual machine that is separate from an operating system virtual machine.
  - 27. The system of claim 22, wherein analyzing the disassembled code comprises checking for behaviors by the mobile application that represent potential security risks to the enterprise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Qureshi, Waheed, DeBenning, Thomas H., Andre, Olivier, Abdullah, Shafaq
Primary Examiner(s)
Dao, Thuy
Assistant Examiner(s)
Sinha, Ravi K

Application Number

US13/649,022
Publication Number

US 20140007048A1
Time in Patent Office

1,077 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 8/53   Decompilation; Disassembly

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0891   Revocation or update of sec...

H04W 12/06   Authentication

H04W 12/086   using security domains

H04W 12/30   Security of mobile devices;...

H04W 12/37 : Managing security policies ...

H04W 12/64 : using geofenced areas

H04W 4/02 : Services making use of loca...

H04W 4/029 : Location-based management o...

View All

Modifying pre-existing mobile applications to implement enterprise security policies

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

482 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Modifying pre-existing mobile applications to implement enterprise security policies

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

482 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links