Recent years have brought the emergence and rapid proliferation of mobile computing devices such as mobile telephones or handsets with extensive computing, communication, and input and interaction capabilities (“smartphones”) plus a growing array of other mobile computing devices such as touchscreen tablets, netbooks, electronic document readers, and laptops in a wide range of sizes and with wireless and wired communication capabilities. This proliferation of mobile devices has been accompanied by complementary advances in development and adoption of long range, wireless broadband technologies such as 3G and 4G, as well as commonplace deployment of shorter range wireless technologies such as the 802.11 series of wireless standards and BLUETOOTH® short range wireless, all with considerable bandwidth. These technologies span multiple radio frequency bands and protocols. Alongside the radio transceivers for such communications capabilities, many of these devices also contain an array of onboard sensors such as cameras, microphones, and GPS receivers plus other locating technologies, as well as considerable fixed-onboard and removable memory for information and multimedia storage. Furthermore, smartphones and similar devices are typically capable of running a wide variety of software applications such as browsers, e-mail clients, media players, and other applications, which in some cases may be installed by the user.
Along with the profusion of smartphones and other mobile, wireless-capable devices, there has also been a dramatic increase in the use of social networks and related technologies for information sharing for consumer as well as for professional uses. Access to social networks on mobile devices has heightened concerns about individual, government, and corporate information security, and about possibilities for privacy violations and other unintended and undesirable information sharing. Furthermore, the possible professional and personal use of any given handset presents a complex set of usage contexts under which rules for device capability usage and information access need be considered.
Such sophisticated and capable smartphones and similar devices, along with the vast amounts of information that they can contain and access, present a large set of potential security vulnerabilities (a large “attack surface”) that might allow information to be accessed by malicious parties or allow undesirable use and exploitation of the device capabilities for malicious purposes such as “phishing” fraud, other online fraud, inclusion in botnets for spam transmission, denial-of-service attacks, malicious code distribution, and other undesirable activities. Furthermore, compared with conventional desktop personal computers, smartphone handsets by nature are portable and thus more easily stolen. Portability also means that the devices will encounter more varied security contexts difficult to foresee, and which may only occur once or twice during the lifecycle of the device. The mobile threat landscape is complex and presents a vast set of extant and emergent security concerns. Therefore, there is a pressing and growing need for comprehensive and secure systems for controlling access to the capabilities and information present on mobile devices.
Policy enforcement mechanisms, and policy frameworks—even rule-based ones—are not new. See, e.g., U.S. Pat. No. 5,881,225, U.S. Pat. No. 7,140,035, U.S. Pat. No. 7,246,233, U.S. Pat. No. 7,640,429 (which shares a common inventor with this application), U.S. Pat. No. 8,127,982, U.S. Pat. No. 8,285,249, U.S. Pat. No. 8,463,819, U.S. Pat. No. 8,468,586, US 2009/0205016, US 2013/0029653. However, even where they are not merely limited to authentication, or highly specialized applications (e.g., parental controls), existing technologies are ill suited for today's mobile network environments. None disclose an architecture or means of policy development and verification suitable for such a diverse set of devices and potentially hostile environments contemplated by the invention.
In contrast, the invention disclosed herein pertains to a very granular and secure policy-based control of capabilities, information access and resource usage on handsets and other mobile computing devices. Also presented are certain special methods and techniques within this invention for preserving the confidentiality of system communications and stored information, for removing, or eliminating exposure of, certain security vulnerabilities, and for defending the system and the handsets protected by it from various kinds of attacks and unwanted activities. Among the novel aspects are: a client/server architecture; a policy development, verification, and introspection means usable in modern wireless networks and the devices that may communicate over them; hierarchical policy delegation and priority; a policy resolution engine that maximizes both flexibility and performance by allowing evaluation of dynamic runtime policies alongside compiled ones as well as a caching mechanism for server-provided policies and rules; event-driven policy resolution and enforcement; hardened enforcement at the CPU layer; to name a few.