US9270674B2ActiveUtilityA1

Validating the identity of a mobile application for mobile application management

96
Assignee: CITRIX SYSTEMS INCPriority: Mar 29, 2013Filed: May 20, 2013Granted: Feb 23, 2016
Est. expiryMar 29, 2033(~6.7 yrs left)· nominal 20-yr term from priority
H04L 63/10G06F 21/44H04W 12/08H04W 12/06H04L 9/0643H04L 9/3213H04L 63/126G06F 21/33H04W 12/37G06F 21/51G06F 2221/2115G06F 2221/033G06F 2221/2103G06F 21/53H04L 63/102
96
PatentIndex Score
36
Cited by
6
References
16
Claims

Abstract

A method of managing access to enterprise resources is provided. An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
       1. A method of managing access to enterprise resources comprising:
 operating an access manager at a mobile computing device; 
 storing, at the mobile computing device, identification information corresponding to an identification token embedded in a mobile application installed at the mobile computing device; 
 validating, using the access manager, the mobile application based, at least in part, on the identification token and the identification information stored wherein validating the mobile application comprises
 challenging the mobile application to provide a response that is based, at least in part, on the identification token, 
 generating an expected response based, at least in part, on the identification information stored, 
 comparing the expected response to the response provided by the mobile application, and 
 determining that the mobile application is either valid or invalid based on whether the expected response matches the response provided by the mobile application; 
 
 preventing the mobile application from accessing a computing resource upon unsuccessful validation of the mobile application by the access manager; 
 identifying the mobile application as a trusted mobile application upon successful validation of the mobile application by the access manager; and 
 permitting the trusted mobile application to access the computing resource. 
 
     
     
       2. The method of  claim 1  wherein:
 the identification token is embedded into the mobile application before the mobile application is installed at the mobile computing device; 
 the mobile application is configured to extract the identification token embedded in the mobile application; and 
 the response provided by the mobile application is based further on the identification token extracted from the mobile application. 
 
     
     
       3. The method of  claim 2  wherein validating the mobile application further includes:
 deriving one or more identification tokens from the mobile application using the access manager; 
 generating an expected application signature based on an arrangement of the one or more identification tokens derived from the mobile application and the identification information stored that corresponds to the identification token embedded in the mobile application; and 
 generating the expected response based further on the expected application signature. 
 
     
     
       4. The method of  claim 3  wherein validating the mobile application further includes:
 providing a nonce to the mobile application; 
 computing an expected hash value using the expected application signature and the nonce; and 
 wherein the expected response is the expected hash value. 
 
     
     
       5. The method of  claim 1  further comprising:
 opening a Transmission Control Protocol (TCP) socket at the mobile computing device using the access manager; 
 waiting for the mobile application to establish a connection with the access manager at the TCP socket; and 
 wherein the access manager initiates validation of the mobile application when the mobile application establishes a connection with the access manager at the TCP socket. 
 
     
     
       6. The method of  claim 1  further comprising:
 obtaining an application policy associated with the trusted mobile application; 
 storing the application policy at the mobile computing device; and 
 controlling operation of the trusted mobile application using the access manager and based on the application policy. 
 
     
     
       7. A mobile computing device comprising:
 a mobile application configured to access a computing resource; 
 a data store storing identification information corresponding to an identification token embedded in the mobile application; 
 an access manager configured to validate the mobile application based on the stored identification information by
 challenging the mobile application to provide a response that is based, at least in part, on the identification token, 
 generating an expected response based, at least in part, on the identification information stored, 
 comparing the expected response to the response provided by the mobile application, and 
 determining that the mobile application is either valid or invalid based on whether the expected response matches the response provided by the mobile application; and 
 
 wherein the access manager is further configured to
 prevent the mobile application from accessing the computing resource upon unsuccessful validation of the mobile application, 
 identify the mobile application as a trusted mobile application upon successful validation of the mobile application, and 
 permit the trusted mobile application to access the computing resource. 
 
 
     
     
       8. The mobile computing device of  claim 7  wherein:
 the mobile application is configured to extract the identification token embedded in the mobile application; and 
 the response provided by the mobile application is further based on the embedded identification token extracted from the mobile application. 
 
     
     
       9. The mobile computing device of  claim 8  wherein the access manager is further configured to:
 derive one or more identification tokens from the mobile application; 
 generate an expected application signature based on an arrangement of the one or more identification tokens derived from the mobile application and the identification information stored that corresponds to the identification token embedded in the mobile application; and 
 generate the expected response based further on the expected application signature. 
 
     
     
       10. The mobile computing device of  claim 9  wherein the access manager is further configured to:
 provide a nonce to the mobile application; 
 compute an expected hash value using the expected application signature and the nonce; and 
 wherein the expected response comprises the expected hash value. 
 
     
     
       11. The mobile computing device of  claim 7  wherein the computing resource is at least one of:
 i) a software application operating at the mobile computing device or a remote computing system; 
 ii) a service provided by the mobile computing device or the remote computing system; 
 iii) data stored at the mobile computing device or the remote computing system; 
 iv) hardware at the mobile computing device or the remote computing system; and 
 v) combinations thereof. 
 
     
     
       12. The mobile computing device of  claim 7  further comprising:
 an application policy associated with the mobile computing device; and 
 wherein the access manager is configured to control operation of the trusted mobile application based on the application policy. 
 
     
     
       13. A non-transitory computer-readable storage medium having instructions stored thereon that, when executed at a mobile computing device, cause the mobile computing device to:
 validate a mobile application installed at the mobile computing device based on identification information stored at the mobile computing device wherein the identification information stored corresponds to an identification token embedded in the mobile application and wherein validating the mobile application comprises
 challenging the mobile application to provide a response that is based, at least in part, on the identification token, 
 generating an expected response based, at least in part, on the identification information stored, 
 comparing the expected response to the response provided by the mobile application, and 
 determining that the mobile application is either valid or invalid based on whether the expected response matches the response provided by the mobile application; and 
 prevent the mobile application from accessing a computing resource upon unsuccessful validation of the mobile application; 
 identify the mobile application as a trusted mobile application upon successful validation of the mobile application and 
 
 permit the trusted mobile application to access the computing resource. 
 
     
     
       14. The non-transitory computer-readable storage medium of  claim 13  wherein the instructions, when executed, further cause the mobile computing device to:
 derive an identification token from the mobile application; 
 generate an application signature comprising an arrangement of the derived identification token and the identification information stored that corresponds to the identification token embedded in the mobile application; and 
 wherein the expected response is based further on the application signature. 
 
     
     
       15. The non-transitory computer-readable storage medium of  claim 14  wherein:
 the challenge includes a nonce; and 
 the expected response is based further on the nonce. 
 
     
     
       16. The non-transitory computer readable storage medium of  claim 15  wherein the instructions, when executed,further cause the mobile computing device to:
 hash the nonce provided to the mobile application in the challenge with the application signature to generate an expected hash value; and 
 wherein the expected response comprises the expected hash value.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.