Mobile computing devices such as smartphones and tablet computers are becoming more widely used every day. There are multiple mobile operating systems available for different mobile computing devices, each with a wide variety of available apps. Users can install apps on their mobile devices by downloading them from an online app store that provides apps for their particular mobile operating system.
Apple's iOS (formerly known as iPhone OS) is a mobile operating system that runs on Apple mobile devices such as the iPhone, the iPad and the iPod Touch. Many applications (“apps”) for iOS are available for download from Apple's App Store. Android is an open-source, Linux based operating system for mobile devices. A large community of developers write apps that run on Android devices. Android apps are available online through Google Play (formerly the Android Market). Windows Phone is a mobile operating system developed by Microsoft. Users can download apps for Windows Phone from Microsoft's Windows Phone Marketplace. Apps for Windows Metro (the tile-based “modern UI” component of Windows 8) and Windows RT (a version of Windows 8 for portable devices based on ARM processors such as Microsoft's Surface Tablet) can be purchased and downloaded from Microsoft's Windows Store. Another example of a mobile operating system is Blackberry OS (the latest version is Blackberry 10) from BlackBerry Limited (formerly Research In Motion). Blackberry OS apps are downloaded from the BlackBerry World Storefront.
Many mobile operating systems such as iOS, Android and Windows Phone run each app in a separate sandbox, which is an isolated area that does not have access to the rest of the system's resources, unless permissions are explicitly granted. A sandbox is a tightly controlled environment, providing limited areas of storage and memory for the app, and restricting or disallowing access to system and hardware resources such as network, input devices, current location, contacts, etc. Typically, a sandboxed app is only allowed to access files inside its own storage area, and cannot change system settings. Operating systems that runs apps in this manner are sometimes referred to as sandboxed operating systems. In addition to operating systems for tablets, smartphones and the like, some operating systems for laptop and desktop computers also run sandboxed apps, such as Windows 8 and MacOS.
Providers of apps, such as commercial software publishers, often create partnerships with separate organizations, such as internet service providers (ISPs) or retailers. Under these partnerships, it is desirable to provide partner specific branding, authentication and other targeted features as part of the app. In this context, a given software publisher may enter into separate arrangements with multiple parties to provide partner specific versions of the same underlying app. For example, a publisher of a security app may have a partnership with an ISP, a separate partnership with a retailer of tablets and a third partnership with a cell phone carrier. In this case, it would be desirable for the app provider to distribute a separate, partner-aware version of the security app to each partner's customers (e.g., the ISP subscribers, the tablet purchasers and the cellular service customers). In other words, each partner wants a version of the app to be provided to its customers that includes its own specific branding and other targeted features.
One feature the partners often want in such a scenario is to provide their own authentication of users. Providing third party authentication securely for a partner within an app creates some specific difficulties. This issue is compounded by the fact that providing third party authentication for multiple partners from a single app requires integrating with multiple third party authentication services and identity providers (“IdPs”). An identity provider (IdP), sometimes called an identity service provider or identity assertion provider, is an online service or website that authenticates users by means of security tokens (sometimes called identity tokens, authentication tokens or software tokens). Note that many service providers are also IdPs, and an IdP can provide services in addition to identity services.
Conventionally, secure third party authentication is performed via a browser, using industry standards such as SAML, OpenID and OAuth, which support authentication by multiple IdPs. However, this is not practicable for an app on a sandboxed operating system. The app can initiate the authentication process through the browser, but the sandboxed nature of the operating system makes it impossible to communicate an authenticated identity back from the browser to the app.
It would be desirable to address these issues.