1. Field of the Invention
Aspects of the present invention generally relate to processing for setting an application security policy.
2. Description of the Related Art
An application running on a personal computer (PC), especially on a Web browser, may be configured from Hyper Text Markup Language (HTML) files and JavaScript® files. These applications are also referred to as widgets or Web applications. These applications may be include Cascading Style Sheets (CSS) files, image files, Extensible Markup Language (XML) files, and the like.
Applications configured from HTML files and JavaScript (registered trademark) files are now not only used on PCs, but also on various devices as well. The framework for delivering applications to a device via an applications store has been set by the Wholesale Applications Community (WAC) as a standard specification.
Applications configured from HTML and JavaScript® can contain functions that make a device-specific function be called up from JavaScript® code. The standard specification for calling up a device-specific function from JavaScript® code is set by the World Wide Web Consortium (W3C) standard-setting organization. This function is also referred to as a Device application programming interface (API). In addition, a similar specification to device API has also been formulated by WAC.
There are many different types of device APIs. For example, there is an API for managing personal information, an API for acquiring position information about a device, an API for external communication via a network, and the like. The fact that an application can utilize a device-specific function increases the scope of functions that can be realized by the application.
However, the device API specification increases the security risk for device applications. For example, if an application uses an API that externally communicates via a network with an API that accesses personal information, there is a risk that the personal information of the device owner could be compromised.
Under the WAC framework, management of the security of applications that use device APIs can be performed by employing a security policy. United States Patent Application Publication No. 2010/0077445 discusses a method that uses a dedicated application and a dedicated server as a method for managing the security of applications with use of the security policy. The method discussed in United States Patent Application Publication No. 2010/0077445 stores application evaluations in the dedicated server, and a management application compares the application evaluation with a predetermined threshold to determine resources that an application can access.
However, since the method discussed in United States Patent Application Publication No. 2010/0077445 performs the determination based on the application evaluation, the resources that the application can access are determined even if the risk level of the device APIs (device functions) used by the application is dangerous.