EP1582053A2 - Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication - Google Patents

Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication

Info

Publication number
EP1582053A2
EP1582053A2 EP03814848A EP03814848A EP1582053A2 EP 1582053 A2 EP1582053 A2 EP 1582053A2 EP 03814848 A EP03814848 A EP 03814848A EP 03814848 A EP03814848 A EP 03814848A EP 1582053 A2 EP1582053 A2 EP 1582053A2
Authority
EP
European Patent Office
Prior art keywords
information
application
access
authorization
specific data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03814848A
Other languages
German (de)
English (en)
Other versions
EP1582053A4 (fr
Inventor
Wei-Hsing Lee
Jyh-Han Lin
Ronald R. Smith
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Motorola Solutions Inc
Original Assignee
Motorola Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc filed Critical Motorola Inc
Publication of EP1582053A2 publication Critical patent/EP1582053A2/fr
Publication of EP1582053A4 publication Critical patent/EP1582053A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Definitions

  • the invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
  • onboard applications such as phone book, hardware identifiers or other data on a cellular telephone or other device
  • cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
  • OAP Over-the-air programming
  • Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information.
  • IMEI International Mobile Equipment Identity
  • SJJVI subscriber identity module
  • NAM number assignment module
  • MSN mobile identification number
  • ESN electronic serial number
  • Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
  • While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
  • APIs application programming interfaces
  • the invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications.
  • an authorization process may be initiated via a remote server or other resource.
  • the communications device may present an API to internally executing programs through which all requests for sensitive data may be made.
  • the API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication.
  • authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
  • FIG. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
  • Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
  • FIG. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
  • FIG. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
  • Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate.
  • a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102.
  • Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices.
  • PDA personal digital assistant
  • PJVI personal information manager
  • Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information.
  • Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
  • EPROM electronically programmable memory
  • the communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code.
  • application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service.
  • application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments.
  • MJDP Java mobile information device profile
  • application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
  • the application 104 may interact with an application programming interface
  • Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks.
  • application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources.
  • Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110.
  • Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
  • application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
  • application programming interface 106 may communicate with authorization server 118 to authorize that access request 114.
  • application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces.
  • Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
  • Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER 2 ... APP JDENTIFIER N , N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID”, "contactlist.c", "positiontrack.exe” or other names or indicia.
  • Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
  • authorization server 118 may transmit an authorization message 122 to communications device 102.
  • the authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110.
  • the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110.
  • Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible.
  • the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times.
  • authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
  • the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
  • the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110.
  • the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action.
  • denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
  • step 402 application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level.
  • step 404 the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface.
  • SSL secure socket layer
  • HTTPS hyper text transfer protocol secure
  • the request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
  • the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102.
  • the authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken.
  • the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access.
  • the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106.
  • the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
  • communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise.
  • Communications device 102 may conversely contain or operate on other or multiple supervisory layers.
  • Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources.
  • the scope of the invention is accordingly intended to be limited only by the following claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Selon l'invention, des téléphones cellulaires ou d'autres dispositifs de communication peuvent intercepter des demandes d'applications, par exemple d'applications reçues par l'intermédiaire de la programmation par voie radio, pour accéder à des données sensibles spécifiques du dispositif. Ces données spécifiques du dispositif peuvent comprendre des identificateurs matériels, comme l'identité internationale d'équipement mobile, ou d'autres valeurs d'identification de série ou d'abonné, des paramètres personnalisés comme des répertoires téléphoniques, des listes de contact et des informations de messagerie ou autre. Les demandes d'applications d'accéder à ce type de données peuvent être interceptées, par exemple par une interface de programmation d'application s'exécutant dans le dispositif de communication. L'interface de programmation d'application peut communiquer la demande, accompagnée d'informations identifiant l'application requérante, à un serveur d'autorisation éloigné. Ce serveur peut comparer l'identificateur d'application ou d'autres informations à une liste ou table d'applications autorisées à accéder aux données spécifiques du dispositif. Un accord, un refus, un report ou une autre décision peuvent être retransmis au dispositif, pour permettre ou refuser l'accès en conséquence. L'acheminement des demandes pour de telles données vers un serveur hôte éloigné peut, par exemple, empêcher l'accès ou l'altération de données sensibles par des virus, des applications indésirables ou d'autres types d'intrusions sans fil.
EP03814848A 2002-12-31 2003-12-16 Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication Withdrawn EP1582053A4 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US33414102A 2002-12-31 2002-12-31
US334141 2002-12-31
PCT/US2003/040125 WO2004062243A2 (fr) 2002-12-31 2003-12-16 Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication

Publications (2)

Publication Number Publication Date
EP1582053A2 true EP1582053A2 (fr) 2005-10-05
EP1582053A4 EP1582053A4 (fr) 2006-04-12

Family

ID=32710862

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03814848A Withdrawn EP1582053A4 (fr) 2002-12-31 2003-12-16 Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication

Country Status (6)

Country Link
EP (1) EP1582053A4 (fr)
JP (1) JP2006514763A (fr)
KR (1) KR20050096114A (fr)
CN (1) CN1732674A (fr)
AU (1) AU2003297229A1 (fr)
WO (1) WO2004062243A2 (fr)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4583152B2 (ja) * 2004-12-10 2010-11-17 富士通株式会社 サービス処理方法及びプログラム
US7707632B2 (en) * 2005-07-28 2010-04-27 Mformation Technologies, Inc. System and method for automatically altering device functionality
KR100785782B1 (ko) * 2005-11-17 2007-12-18 한국전자통신연구원 권한위임 시스템 및 방법
EP1967026A2 (fr) * 2005-12-30 2008-09-10 Telecom Italia S.p.A. Procede pour personnaliser le fonctionnement d'un terminal telephonique
WO2008060300A1 (fr) * 2006-11-16 2008-05-22 Dynomedia, Inc. Systèmes et procédés de gestion de droits numériques distribués
US8831223B2 (en) 2008-01-21 2014-09-09 Telefonaktiebolaget L M Ericsson (Publ) Abstraction function for mobile handsets
US8327006B2 (en) * 2011-02-24 2012-12-04 Jibe Mobile Endpoint device and article of manufacture for application to application communication over a network
EP2951676B1 (fr) 2013-01-29 2020-12-30 BlackBerry Limited Gestion d'accès d'application à des donneés
CN104283853B (zh) 2013-07-08 2018-04-10 华为技术有限公司 一种提高信息安全性的方法、终端设备及网络设备
US20150195395A1 (en) * 2014-01-06 2015-07-09 Desiree Gina McDowell-White Secure Cloud-Based Phonebook
CN104951715A (zh) * 2015-06-11 2015-09-30 联想(北京)有限公司 一种信息处理方法及电子设备

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813132A2 (fr) * 1996-06-11 1997-12-17 International Business Machines Corporation Support pour la distribution de logiciels sécurisés
EP0973350A2 (fr) * 1998-07-17 2000-01-19 Phone.Com Inc. Méthode et appareil permettant contrôle d'accès à services locales d'appareils mobiles
EP1107623A2 (fr) * 1999-12-06 2001-06-13 Nokia Mobile Phones Ltd. Station mobile permettant la définition par l'utilisateur d'une zone privée pour limiter l'accès aux données de programmes utilisateurs
FR2822334A1 (fr) * 2001-03-16 2002-09-20 Schlumberger Systems & Service Module d'idente d'abonne a gestion independante et securisee d'une pluralite de commandes d'au moins une appliquette, notamment pour un equipement mobile de communication

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5835061A (en) * 1995-06-06 1998-11-10 Wayport, Inc. Method and apparatus for geographic-based communications service
JPH09319570A (ja) * 1996-05-29 1997-12-12 Sanyo Electric Co Ltd ソフトウエアのライセンス管理システム
EP1011274A1 (fr) * 1998-12-16 2000-06-21 TELEFONAKTIEBOLAGET L M ERICSSON (publ) Procédé et dispositif pour mettre à la disposition des services dans un réseau de télécommunications
US6647260B2 (en) * 1999-04-09 2003-11-11 Openwave Systems Inc. Method and system facilitating web based provisioning of two-way mobile communications devices
JP2001117769A (ja) * 1999-10-20 2001-04-27 Matsushita Electric Ind Co Ltd プログラム実行装置
JP2002041170A (ja) * 2000-07-27 2002-02-08 Matsushita Electric Ind Co Ltd プログラム実行制御装置
JP3853140B2 (ja) * 2000-08-08 2006-12-06 株式会社シーイーシー ソフトウェア管理システム及び課金方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0813132A2 (fr) * 1996-06-11 1997-12-17 International Business Machines Corporation Support pour la distribution de logiciels sécurisés
EP0973350A2 (fr) * 1998-07-17 2000-01-19 Phone.Com Inc. Méthode et appareil permettant contrôle d'accès à services locales d'appareils mobiles
EP1107623A2 (fr) * 1999-12-06 2001-06-13 Nokia Mobile Phones Ltd. Station mobile permettant la définition par l'utilisateur d'une zone privée pour limiter l'accès aux données de programmes utilisateurs
FR2822334A1 (fr) * 2001-03-16 2002-09-20 Schlumberger Systems & Service Module d'idente d'abonne a gestion independante et securisee d'une pluralite de commandes d'au moins une appliquette, notamment pour un equipement mobile de communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of WO2004062243A2 *

Also Published As

Publication number Publication date
JP2006514763A (ja) 2006-05-11
WO2004062243A3 (fr) 2004-08-26
CN1732674A (zh) 2006-02-08
AU2003297229A1 (en) 2004-07-29
AU2003297229A8 (en) 2004-07-29
WO2004062243A2 (fr) 2004-07-22
KR20050096114A (ko) 2005-10-05
EP1582053A4 (fr) 2006-04-12

Similar Documents

Publication Publication Date Title
US6591095B1 (en) Method and apparatus for designating administrative responsibilities in a mobile communications device
EP2941729B1 (fr) Protection et confidentialité de données de gestionnaire de service fiables
US8577334B1 (en) Restricted testing access for electronic device
US9198026B2 (en) SIM lock for multi-SIM environment
US11671832B2 (en) Unified enterprise management of wireless devices in a controlled environment
EP1950681A1 (fr) Terminal mobile, dispositif de gestion de contrôle d accès et procédé de gestion de contrôle d accès
US20100062808A1 (en) Universal integrated circuit card having a virtual subscriber identity module functionality
EP1542117A1 (fr) Lier un contenu à un utilisateur
KR101514753B1 (ko) 이동통신 단말기에 저장되는 중요 금융 정보의 보안 저장소를 위한 시스템 및 방법
CN110876144B (zh) 一种身份凭证的移动应用方法、装置及系统
EP1582052B1 (fr) Systeme et procede pour l'autorisation et le deploiement repartis d'approvisionnement par voie radio pour un dispositif de communication
WO2004062243A2 (fr) Systeme et procede d'autorisation repartie pour acceder a un dispositif de communication
US20210203652A1 (en) Subscriber Identity Management
CN115186254A (zh) 一种数据访问控制方法及装置、终端设备
US10405183B2 (en) Purposed device system and method for smartphone
US11838985B2 (en) Policy-based management of embedded subscriber identity module (eSIM) profiles
US12127000B2 (en) Unified enterprise management of wireless devices in a controlled environment
CN113286289A (zh) 一种权限确认方法及电子设备
CN116669012A (zh) 管理用户设备中的通信功能的方法
CN116491141A (zh) 使sim卡成为微平台的系统和方法
Siyaka et al. Mobile Phone Cloning: A Conceptual Review
KR20090095697A (ko) 사용 제한이 가능한 이동 통신 단말기, 가입자 개통 서버,그를 이용한 사용 제한 시스템 및 방법

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20050801

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

A4 Supplementary search report drawn up and despatched

Effective date: 20060228

RIC1 Information provided on ipc code assigned before grant

Ipc: H04Q 7/32 20060101ALI20060222BHEP

Ipc: H04Q 7/20 20060101ALI20060222BHEP

Ipc: H04M 3/00 20060101AFI20050627BHEP

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20061219

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230520