The present invention relates to a system and methods for controlling application programs which have been downloaded to a personal appliance such as a smart phone or a personal tablet such as an iPad.
In a typical system, a user permits an application, being a program along with associated data, to be downloaded from a remote server and then installed on the appliance. A typical example of this may be seen with the very successful model developed by Apple Computer where their iPhone smartphone product interacts with their App Store (application store) hosted in their iTunes distribution network. Here, a user of the smartphone searches the App Store for a desired application and, after an exchange of information to validate the user's intent along with any required payment information, the application is downloaded. Following the download, the program is installed automatically and is then ready to use. From time to time, applications may receive updates from the publisher which may be a corporate administrator whereupon a user may choose to authorize the update or else may continue to operate the existing version of the application. A user may remove or un-install the application, deleting it using the user interface provisions of the appliance, but there is no defined mechanism for an application to be un-installed remotely which does not require the user to assign full control of the appliance to the corporate administrator. This latter is generally not a preferred approach.
A key to managing corporate assets is the ability to control access to corporate data. Where the data resides on a personal appliance such as a smart phone and is accessed by a local program or application, there is a greatly increased risk of loss. Theft of sensitive data is increasingly commonplace and corporations are exposed to potentially disastrous losses that would destroy the business. To this end, considerable attention has been focused upon methods to protect the data but these generally depend upon physical security of the appliance. Once the device upon which the data resides is lost, it must be assumed that it is compromised and so, at very least, it is essential that data manipulation permissions, such as read, write, copy and print are remotely controllable by the owner of the data. It is generally not enough to simply set these permissions to the negative to deny access and a preferable mechanism would be to either remove the data or alter it so that it was no longer useful. Certainly, in this simple example where the appliance has been taken from the user, there is no possibility that appliance control will be ceded to any other entity and it must be assumed that the purpose of the misappropriation was to abscond with the sensitive information contained on or in the appliance.
In the co-pending U.S. application Ser. No. 12/876,214 filed on Sep. 6, 2010, entitled “System and Methods to Store, Retrieve, Manage, Augment and Monitor Applications on Appliances,” one of the features of the AppGuard™ technology is to evaluate the user permissions at each use session and, if the permission is denied or set invalid, then persistent data can be deleted. Once this happens, although the application may no longer access that information because it is either removed or altered, that is to say deleted to read zero or some known, unusable state, the data structure may still be discerned and if this can be extracted, then data which has not yet been deleted that is stored in the structure may be now vulnerable. Worse, if this knowledge is used in conjunction with a second appliance where the data is yet intact, then its data may be totally compromised. A better solution would be to entirely remove the application itself in addition to deleting or obfuscating the data. Using the iPhone™ model as an example still, altering a data base from outside an application is fraught with difficulty because the rules that govern application interaction are designed to prevent this kind of activity. In general, application data is protected by the appliance's operating system so that it is not even readable from outside that application and certainly not alterable. It may be reasonably assumed that this partitioning of data sets is a fairly uniform goal regardless of the target appliance and this assumption may be applied to other phones and computers such as the Blackberry™ and classes of products based on the Android™ operating system. It should be clear that if an application dataset can be manipulated externally, then there is an opportunity for a malicious program to wreak havoc in the machine.
Accordingly, the only application which is permitted to alter data is that application to which the data is native. Although there are very limited instances where an application can collect information from another program's dataset or from data objects which are considered common or shared data, for example, the information from an address book native to the appliance can often be read, this practice is discouraged, citing privacy concerns. However, so long as data is being used for a specific single task such as navigation or presence confirmation (a user is confirmed as being within a particular geographic area) rather than harvested for subsequent manipulation (such as stored with a view to recording the user's activities), there is less concern. In general any application is allocated a limited data space which is, for practical purposes, invisible to all but that application.
It is therefore apparent that an urgent need exists for a method that permits a remote supervisor to safeguard corporate information, manipulating both the data and especially the application in a way that can be used to secure any corporate information. This improved application management technique enables corporate control of individual appliances in as much as they represent a security concern and may be implemented within the terms of the application management contracts which govern application distribution, function and use. An additional goal is to minimize user concerns for the maintenance of privacy as to any personal data which may be stored on the appliance and to avoid requiring that the user cede control of the appliance to another.