JP2013140459A - Network system utilizing smartphone - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network system in which security countermeasures can be adopted even when smartphones are used for business.SOLUTION: Smartphone security platform software is installed in a terminal 1, an authenticated application is encrypted and stored in a secure platform area, the authenticated application which is encrypted is decrypted and used, and the application is encrypted and stored when the use of the application is terminated. A NW control unit 114 detects network environments to select a secure and best network to be used, and accesses a GW server 22 of an in-enterprise NW 20 to perform authentication with a terminal certificate 115. The GW server 22 notifies the terminal 1 of a network-compatible application and an encryption scheme table. In the terminal 1, an available application is communicable using a specified network and encryption scheme on the basis of the notified table.

Description

  The present invention relates to a network system using a smartphone, and more particularly to a network system that implements security measures when a smartphone is used by a company.

[Conventional technology]
In recent years, as the performance of smartphones and smart tablets (hereinafter referred to as “smartphones”) has improved, an increasing number of companies are considering introducing smartphones for business use in order to improve employee productivity. .

[Related technologies]
As a related prior art, there is "Distributed processing system protocol selection method" (Hitachi, Ltd.) [Patent Document 1] of Japanese Patent Laid-Open No. 06-214913.
Patent Document 1 discloses a distributed processing system that analyzes and accumulates application program task levels, evaluates the characteristics of protocols, levels, and application contexts that can be used in a computer system, and uses communication paths such as each protocol. A process for managing (selecting) is shown.

Non-Patent Document 1, “Security Management Service for Android Devices”, March 1, 2011, KDDI Corporation (www.kddi.com/business/service/security/pdf/android_security_kanri.pdf) [Non-patent Reference 1].
Non-Patent Document 1 discloses that an application is downloaded to a specific smartphone in a push manner in order to provide an environment in which the smartphone can be easily introduced.

Japanese Patent Laid-Open No. 06-214913

"Security management service for Android devices" March 1, 2011, KDDI Corporation (www.kddi.com/business/service/security/pdf/ android_security_kanri.pdf)

  However, in the above conventional network system, when considering security measures, it has been regarded as an extension of the conventional notebook PC so far, and smartphones such as storage device encryption, biometric authentication such as fingerprints, introduction of anti-virus software, etc. Many companies have adopted an approach in which security rules are defined based on the principle of complete protection.

Under such circumstances, there were the following problems.
In other words, the use of smartphones is not always online, limited CPU (Central Processing Unit) power and power supply capacity, and an open OS (Operating System) for some terminals. Therefore, when considering the specifications of smartphones and usage / introduction scenes, such as insufficient security measures as a platform and insufficient support for biometric authentication devices, the conventional notebook PC type rules are incompatible. There was a problem that there are many cases.

  In particular, when anti-virus software is installed on a smartphone and operated constantly, the power capacity (battery) is consumed quickly, and further, the operation of the smartphone is delayed.

  Furthermore, if the operation is permitted to install only the management target application related to the business like a conventional notebook PC, when the user wants to use a personally-owned smartphone, the user's resistance becomes stronger, and the smartphone is inherently As a result, the effect of improving productivity by using a smartphone for business use is limited.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a network system using a smartphone capable of taking security measures even if the smartphone is used for business purposes.

  The present invention for solving the problems of the above conventional example is a network system in which a terminal and a gateway server are connected by a plurality of networks. The terminal is controlled by platform software operating in the security platform area and the software. Is installed, detects the network to which the terminal can be connected by the operation of the software, and accesses the gateway server using a network selected according to a predetermined network connection order, The gateway server stores the correspondence between the network environment and available applications as a network correspondence table. When the terminal accesses, the correspondence table is notified to the terminal. In accordance with the correspondence table notified from the gateway server, icons of usable applications are displayed. When the displayed icon is selected, communication of the application corresponding to the selected icon is performed using the corresponding network environment. It is characterized by performing.

  In the above network system, the gateway server stores the encryption method corresponding to the network environment and the usable application in the correspondence table, and notifies the encryption method when notifying the correspondence table to the terminal. When the displayed icon is selected, the terminal performs communication of an application corresponding to the selected icon using the corresponding network environment and encryption method.

  According to the present invention, in the above network system, when a displayed icon is selected, the terminal can detect again a network to which the terminal can be connected, refer to the correspondence table, and connect to the application of the selected icon. It is determined whether there is a combination of network environments, and if there is one combination, communication with the application is performed using an encryption method corresponding to the application.

  According to the present invention, in the above network system, when a displayed icon is selected, the terminal can detect again a network to which the terminal can be connected, refer to the correspondence table, and connect to the application of the selected icon. It is determined whether there is a combination of network environments, and if there are multiple combinations, the network that can be connected is identified according to a predetermined network connection order, and an encryption method corresponding to the application in the determined network environment The communication is performed by the application.

  In the network system, when the terminal accesses the gateway server using a network selected according to a predetermined network connection order, the terminal performs encryption using an encryption method corresponding to the selected network. The terminal certificate is accessed using the stored terminal certificate, and the gateway server performs decryption using a decryption method corresponding to the encryption method, and authenticates the terminal certificate.

  The present invention is characterized in that, in the network system described above, an application operating in the security platform area accesses data of a system connected to the gateway server.

  The present invention is characterized in that, in the above network system, an application distribution server for downloading an application operating in the security platform area to a terminal via a gateway server is provided.

  In the above network system, the present invention provides a terminal management server that connects to a gateway server and manages the state of the terminal, and the terminal manages the information of applications that operate in the security platform area via the gateway server. And the terminal management server stores information of an application operating in the security platform area in the terminal.

  The present invention is a computer program that operates in a security platform area at a terminal, detects a network to which the terminal can be connected, and uses the network selected according to a predetermined network connection order as a gateway server. Accessing and receiving the network correspondence table notified from the gateway server in which the correspondence between the network environment and the usable application is set, and according to the correspondence table, the icon of the usable application is displayed and displayed. When the selected icon is selected, communication of the application corresponding to the selected icon is performed using the corresponding network environment.

  The present invention is the above computer program, and in the terminal, the correspondence table received from the gateway server is also set with the encryption method corresponding to the network environment and the usable application, and the displayed icon is selected. The communication of the application corresponding to the selected icon is performed using the corresponding network environment and the encryption method.

  The present invention is the above computer program, and when a displayed icon is selected in a terminal, the network to which the terminal can be connected is detected again, the correspondence table is referenced, and the selected icon is connected to the application. It is determined whether or not there is a combination of possible network environments, and if there is one combination, communication with the application is performed using an encryption method corresponding to the application.

  The present invention is the above computer program, and when a displayed icon is selected in a terminal, the network to which the terminal can be connected is detected again, the correspondence table is referenced, and the selected icon is connected to the application. It is determined whether there is a combination of possible network environments, and if there are multiple combinations, a network that can be connected is identified according to a predetermined network connection order, and encryption corresponding to the application in the determined network environment is determined. It communicates with the said application by a computerization system, It is characterized by the above-mentioned.

  According to the present invention, a network system in which a terminal and a gateway server are connected by a plurality of networks, the platform software operating in the security platform area and an application controlled by the software are installed in the terminal, and the software By detecting the network that the terminal can connect to, the gateway server is accessed using a network selected according to a predetermined network connection order, and the gateway server can be used with the network environment. The correspondence of various applications is stored internally as a network correspondence table. When there is an access from the terminal, the correspondence table is notified to the terminal, and the terminal notifies from the gateway server. As a network system that displays icons of usable applications according to the correspondence table, and when the displayed icon is selected, communication of the application corresponding to the selected icon is performed using the corresponding network environment. Therefore, there is an effect that security measures can be taken even if used for business.

  According to the present invention, the gateway server stores the encryption method corresponding to the network environment and the usable application in the correspondence table, and notifies the encryption method when notifying the correspondence table to the terminal. However, when the displayed icon is selected, the above network system performs communication of the application corresponding to the selected icon using the corresponding network environment and encryption method. There is also an effect that security measures can be taken.

1 is a schematic diagram of a network system according to an embodiment of the present invention. It is the schematic of the software configuration of a terminal. It is a process flowchart (1) in a terminal. It is a process flowchart (2) in a terminal. It is a processing flowchart in a GW server. FIG. 4A is a diagram illustrating an example of a terminal screen, in which (a) shows an SSP application before selection and (b) shows an SSP application after selection. It is the schematic of a network priority selection table. It is the schematic of a network corresponding | compatible application / encryption system table.

Embodiments of the present invention will be described with reference to the drawings.
[Outline of the embodiment]
The network system according to the embodiment of the present invention installs smartphone security platform software on a terminal, encrypts an authenticated application and stores it in the platform area, decrypts and uses the encrypted authenticated application, and uses The network control unit of this platform selects the safe and best network to use from the network environment, and uses it in the company according to the communication path and terminal certificate on the gateway server of the company network. The application can be controlled, and security measures can be taken even if a smartphone is used for business purposes.

[Outline of the system: Fig. 1]
A network system (this system) according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 is a schematic diagram of a network system according to an embodiment of the present invention.
As shown in FIG. 1, the system includes a terminal (smart phone) 1, a mobile closed network 4a, a mobile public network 4b, base stations 5a, 5b, 5c, a general application market server 6, an Internet 7, An in-company network (in-company NW) 20 is configured.
The configuration of the network system shown in FIG. 1 is an example of this embodiment. A smartphone is an example of a terminal.

[Parts of this system]
[Terminal (smartphone) 1]
The terminal (smartphone) 1 includes a smartphone security platform (hereinafter, “this platform”) separately from the environment in which a normal application is operated, and operates the platform software to perform processing for improving the security of smartphone use. It is. The characteristic processing in the terminal 1 will be described later.

[Portable closed network 4a]
The mobile closed network 4a is a closed network environment and is a communication network provided by a mobile phone carrier.
[Portable public network 5b]
The mobile public network 5b is a public communication network for mobile phones.

[Base station 5]
The base station 5a is wired to the mobile closed network 4a, wirelessly connected to the terminal 1, and realizes communication between the mobile closed network 4a and the terminal 1.
The base station 5b is wired to the portable public network 5b, wirelessly connected to the terminal 1, and realizes communication between the portable public network 5b and the terminal 1.
The base station 5 c is wired to the Internet 7 and wirelessly connected to the terminal 1 to realize communication between the Internet 7 and the terminal 1.

[General Application Market Server 6]
The general application market server 6 is a server that connects to the Internet 7 and provides general applications for smartphones.

[Internet 7]
The Internet 7 is a network that connects the base station 5c and the company NW 20, and is connected to the general application market server 6.

[Company NW20]
An in-company network (in-house NW) 20 includes a firewall (FW) 21, a gateway server (GW server) 22, a sales support system 23, a customer management system 24, a backbone system 25, and a thin client server. 26, a mail server 27, an attendance management system 28, an MDM (Mobile Device Management) server 2, and an in-company application distribution server 3. However, the in-company system is not limited to the sales support system 23, the customer management system 24, the backbone system 25, the thin client server 26, the mail server 27, and the attendance management system 28.

[FW21]
The FW 21 is provided between the external network and the GW server 22 and prevents unauthorized access and virus intrusion from the external network.

[GW server 22]
The GW server 22 receives the terminal certificate from the terminal 1 and transmits a network-compatible application / encryption method table to the terminal 1 after authentication.

  In particular, the GW server 22 determines the security level according to the selected network, and controls the application according to the security level. For example, only a specific terminal that has been accessed via an in-house wireless LAN (Local Area Network) is permitted to access the backbone system 25.

[MDM server 2]
The MDM (Mobile Device Management) server 2 is a server for managing the terminal 1. When the terminal 1 is newly installed, the terminal ID is acquired and registered from the terminal 1, and the device driver, the terminal certificate, and the authenticated The application is downloaded to the terminal 1, and when the terminal 1 is lost, periodic notification information by GPS (Global Positioning System) is received to identify the lost place, and remote lock and remote wipe are executed.

[In-house application distribution server 3]
The in-company application distribution server 3 downloads a permitted application (authenticated application) used exclusively in the company to the platform area of the platform of the terminal 1.
Then, the in-company application distribution server 3 attaches a terminal certificate to each authenticated application and downloads it.

[Sales support system 23]
The sales support system 23 is a system using a computer that performs information processing for providing sales support.
[Customer management system 24]
The customer management system 24 is also a computer system that performs information processing for customer management.

[Core system 25]
The basic system 25 is a computer system that performs processing related to basic operations.
[Thin client server 26]
The thin client server 26 is a computer that accesses the sales support system 23, the customer management system 24, the core system 25, the attendance management system 28, etc. within the corporate NW 20.

[Mail server 27]
The mail server 27 is a server that controls and manages the transmission / reception and storage of business mail for the user of the terminal 1 in the corporate NW 20.
[Attendance management system 28]
The attendance management system 28 is a computer-based system that performs information processing for performing attendance management for the user of the terminal 1.

[Terminal configuration: Fig. 2]
Next, a specific configuration of the terminal 1 will be described with reference to FIG. FIG. 2 is a schematic diagram of the software configuration of the terminal.
As shown in FIG. 2, the terminal 1 includes a characteristic smartphone security platform (present platform) 11. In addition, the terminal 1 includes an application 12, an application framework 13, a library 14, a runtime 15, and a device driver. A kernel driver 16 and a terminal OS 17 are stored in the storage area.
In particular, the software of this platform is stored in a special area called a platform area in the storage area.

The application 12 is an unapproved application distributed from the general application market server 6.
The application framework 13 is a collection of classes and libraries used to implement the standard structure of applications for the terminal OS 17.
The library 14 is a program for controlling the device.

The runtime 15 is a software component such as an execution environment or a library that is required when the program is executed.
The kernel driver 16 includes device drivers, and abstracts hardware such as CPU, memory, and input / output, and enables process abstraction, inter-process communication, and system call in order to allow hardware and software to communicate with each other. Etc. are software parts that provide
The terminal OS 17 is an operating system customized for the terminal.

[Smartphone security platform 11]
The smartphone security platform (this platform) 11 is stored in a security area called a platform area, and stores an authenticated application (1) 111 and an authenticated application (2) 112 as shown in FIG. 113 includes a network (NW) control unit 114 and stores a terminal certificate 115.
This platform software is installed in the security infrastructure 113 at the time of new registration from the MDM server 2, and becomes a resident application in conjunction with the power-on of the terminal 1, and executes various characteristic processes described later. The platform software is installed by downloading the terminal 1 connected to the MDM server 2 offline (for example, a USB cable). This is because the GW server 22 does not recognize the new terminal.

  The platform area can be downloaded only from the MDM server 2 or the in-company application distribution server 3 permitted by the MDM server 2 and only the authorized authenticated application, and the downloaded application is installed as a managed application. The

The authenticated applications 111 and 112 are downloaded from the in-company application distribution server 3 to the terminal 1 and stored in the platform area.
The authenticated applications 111 and 112 are applications that are permitted to access data such as a system in the company NW 20.
Although the authenticated application 111 and the authenticated application 112 are stored as the authenticated applications, more authenticated applications may be registered and stored. The authenticated application is normally encrypted, and is decrypted using the terminal certificate when the application is used, and is encrypted when the use ends.

The security infrastructure 113 is a configuration that forms the core of the platform.
Specifically, the execution of the platform software that operates on the security infrastructure 113 allows firstly an authenticated application in the platform area, encryption / decryption of data, second, restriction and monitoring of unauthorized access, and third, It performs automatic control of the secure network.
The NW control unit 114 performs control for selecting an optimum network by automatic control of the secure network, and transmits the terminal certificate 115 to the in-company NW 20.

[Functions of this system]
Next, functions of this system will be described.
The functions implemented in this system are the security platform function and secure network selection function implemented in the terminal 1, the MDM function implemented in the MDM server 2, the application download site function implemented in the enterprise application distribution server 3, the GW There is a corporate gateway function realized by the server 22.

[Security Platform Function]
The security platform function is realized by operating a processing program (platform software) stored in the platform area by the control unit in the terminal 1, and encrypts the authenticated application and data stored in the platform area. The data is decrypted when the data is used, and encrypted when the data is used and stored.

In addition, the security platform function monitors attacks from the malware to the platform area (sandbox) by restricting calls from other applications to the authenticated application in the platform area, and auditing and notifying. Prevent unauthorized access.
Specifically, in the platform area, a log of the user of the terminal 1 is collected and stored, and access monitoring is performed.
Data exchange between authenticated applications is also performed after authentication with a terminal certificate.

[Secure network selection function]
The secure network selection function is realized by the NW control unit 114 of the terminal 1, and the authenticated application registered in this platform is a VPN (Virtual Private Network), HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer). The best network is selected from a secure network such as a portable closed network or a portable public network according to the characteristics of the application and the environment of the terminal.

Specifically, a plurality of network environments connectable by the NW control unit 114 are detected, a network priority selection table stored in the NW control unit 114 is referred to, a network having a higher priority order is selected, and the GW server 22 transmits the terminal certificate 115.
The GW server 22 authenticates the terminal certificate 115 transmitted from the terminal 1, and if the authentication is OK, returns (notifies) the network compatible application / encryption method table to the terminal 1.

The terminal 1 receives the network compatible application / encryption method table notified from the GW server 22, refers to the table, identifies the usable application from the information on the connectable network, and displays it on the screen. A network that can be connected again by selection is detected, and communication with the application is performed using the usable application and the encryption method with reference to the network compatible application / encryption method table and the network priority selection table.
A network selection example corresponding to a specific application will be described later.

Here, the network-compatible application / encryption method table is basically notified to the terminal 1 by the GW server 22, but may be stored in the terminal 1 in advance.
The “thin client server” means an application for accessing each server of the corporate NW 20 and the desktop environment on the system from the terminal 1.

[Processing flow at terminal: Figs. 3, 4, 6]
Next, a processing flow in the terminal 1 for realizing the secure network selection function will be described with reference to FIGS. 3, 4 and 6. FIG. FIG. 3 is a process flowchart (1) at the terminal, and FIG. 4 is a process flowchart (2) at the terminal. FIG. 6 shows a screen example of the terminal, in which (a) shows before the SSP (Smart phone Security Platform) application selection, and (b) shows after the SSP application selection.
Although FIGS. 3 and 4 are continuous diagrams, they are divided into two diagrams due to space limitations, and both diagrams are connected in FIG.

  As shown in FIG. 3, it is determined whether or not an operation such as touching an SSP application icon (see FIG. 6A) is performed on the terminal 1 (S1), and if the operation is not performed (S1). In the case of No), when the determination processing S1 is repeated and an operation is performed (in the case of Yes), the NW control unit 114 next determines the status of the connectable network (S2).

  Here, there may be a plurality of connectable networks. For example, a mobile public network, Wi-Fi (internal), Wi-Fi (external), a mobile closed network, the Internet, and the like. Further, it is confirmed that the VPN setting is set in the terminal 1 as necessary. This can be realized by the library 14 installed in the smartphone as a standard.

  The NW control unit 114 selects a network to be connected in accordance with a connection priority order stored in advance (S3), transmits a terminal certificate to the GW server 22 through the selected network, and requests a network-compatible application / encryption method table. (S4). That is, the terminal certificate is used for accessing the GW server 22.

  The terminal 1 determines whether or not the notification from the GW server 22 has been received (S5). If the notification has not been received (in the case of No), the determination process S5 is repeated. If the notification is received (in the case of Yes), the network compatible application / encryption method table is received from the GW server 22 and stored in the security infrastructure 113 (S6).

  Further, the terminal 1 refers to the network-compatible application / encryption method table, and identifies a usable application from the connectable network information acquired in the process S2 (S7). Then, the terminal 1 displays the identified application icon on the screen (S8).

  Thereafter, as shown in FIG. 4, it is determined whether or not the application displayed on the screen is selected (S9). If not selected (No), the determination process S9 is repeated. When the application is selected (in the case of Yes), the NW control unit 114 again determines the network status that can be connected (S10).

  Then, the NW control unit 114 determines whether or not there is a combination of the selected application and the connectable network detected in step S10 in the network compatible application / encryption method table (S11). Terminates the processing, and when there is one combination, communication is performed by the application selected by the corresponding encryption method (S12), and then the processing ends.

If there are a plurality of combinations in the determination process S11, the network priority selection table is referred to determine the combination with the higher priority network (S13), and the application with the encryption method corresponding to the determined network is determined. (S14), and the process ends.
In this way, application operation processing in the terminal 1 is performed.

[Processing flow in GW server 22: FIG. 5]
Next, a processing flow in the GW server 22 will be described with reference to FIG. FIG. 5 is a process flowchart in the GW server.
The GW server 22 determines whether or not there is reception from the terminal 1 (S21). If there is no reception (No), the determination process S11 is repeated. If there is reception (in the case of Yes), it is determined whether or not the authentication by the transmitted terminal certificate is OK (S22). If the authentication is NG (in the case of No), the process is terminated.

If the authentication is successful (authentication OK) (if Yes), the network compatible application / encryption method table is transmitted (notified) to the terminal 1 (S23).
The network-compatible application / encryption method table to be transmitted does not have to be the same for all terminals, and a table with different contents may be transmitted according to the terminal ID. For example, it is conceivable to change the table contents in accordance with the job authority specified from the terminal ID.

  In the above example, the GW server 22 notifies the terminal 1 of the network compatible application / encryption method table, but may be set in the terminal 1 in advance.

[Specific network selection example: FIGS. 7 and 8]
Before describing a specific network selection example, a network priority selection table stored in the NW control unit 114 of the terminal 1 and a network compatible application / encryption method table stored in the GW server 22 will be described. FIG. 7 is a schematic diagram of a network priority selection table, and FIG. 8 is a schematic diagram of a network-compatible application / encryption method table.

[Network priority selection table: FIG. 7]
As shown in FIG. 7, the network priority selection table sets priorities for a plurality of network environments to be connected, and refers to the table from the network environments detected by the NW control unit 114. A network environment with a high priority is selected and the GW server 22 is accessed.

[Network-compatible application / encryption method table: FIG. 8]
As shown in FIG. 8, the network compatible application / encryption method table is a table in which the correspondence between the network environment, usable applications (applications), and encryption methods is set.
Specifically, when the network environment is “in-house Wi-Fi”, the usable application is “mail”, and the encryption method to be used is “network without encryption”.
When the network environment is “External Wi-Fi”, the usable applications are “Mail” and “Attendance management system”, and the encryption methods (encryption protocols used) are “VPN” and “HTTPS”, respectively. "

  Note that information about applications that cannot be used with the encryption method set to “access denied” may be set.

Next, processing in the terminal 1 and the GW server 22 when the network environment detected by the terminal 1 is “external Wi-Fi” and “mobile public network” will be described.
First, the terminal 1 refers to the network priority selection table, selects “external Wi-Fi” having a high priority (S3), and transmits the terminal certificate to the GW server 22 using “external Wi-Fi” (S4). ).

When receiving the terminal certificate (S21), the GW server 22 transmits a network-compatible application / encryption method table to the terminal 1 after authentication (S22, S23).
The terminal 1 receives the network compatible application / encryption method table and stores it in the security infrastructure 113 (S6), and identifies an application that can be used with reference to the table. That is, since the detected connectable network environments are “external Wi-Fi” and “portable public network”, the usable applications are identified as “mail” and “time management system” (S7), and the screen The icon of the application is displayed on (S8).

  When the application “mail” is selected from the displayed icon on the terminal 1 (S9), the NW control unit 114 detects the network environment again (S10). When the detected network environment is “external Wi-Fi” and “mobile public network”, a combination of the network and the application, that is, (network “external Wi-Fi”, application “mail”) and (network “mobile public network” , Application “e-mail”) is registered in the network compatible application / encryption method table (S11), and since both are registered in the example of FIG. 8, the priority order is referred to the network priority selection table. The network is determined to use the “external Wi-Fi” having a high level (S13), and the communication with the application “mail” is performed using the corresponding encryption method “VPN” (S14).

  When the encryption method is “access not permitted” (access prohibited), this fact may be displayed on the display screen.

[Effect of the embodiment]
According to this system, a smartphone security platform (this platform) is formed on the terminal 1, the platform software is installed, the authenticated application is encrypted and stored in a secure platform area, and the encrypted authenticated application is Decrypted and used, encrypted and stored at the end of use, the NW control unit 114 of this platform detects the network environment, selects the safe and best used network, and accesses the GW server 22 of the corporate NW 20 Authenticate with the terminal certificate, and the GW server 22 notifies the terminal 1 of a table for setting available applications and encryption methods corresponding to the network environment. The terminal 1 can use the table based on the notified table. Applications identified with the network Scheme is intended to be available in, there is an effect that can be utilized smartphone for business improve the security measures.

  In addition, according to this system, it is possible to monitor applications according to the importance of security within the enterprise, thereby improving the convenience of terminal users, improving management efficiency, and improving business efficiency. effective.

  INDUSTRIAL APPLICABILITY The present invention is suitable for a network system using a smartphone that can take security measures even if the smartphone is used for business purposes.

  DESCRIPTION OF SYMBOLS 1 ... Terminal (smartphone), 2 ... MDM server, 3 ... In-house application distribution server, 4a ... Mobile closed network, 4b ... Mobile public network, 5a, 5b, 5c ... Base station, 6 ... General application market server, 7 ... Internet, 11 ... Smartphone security platform (this platform), 12 ... Application, 13 ... Application framework, 14 ... Library, 15 ... Runtime, 16 ... Kernel driver, 17 ... Terminal OS, 20 ... In-house network (in-house NW), 21 ... Firewall (FW), 22 ... Gateway server (GW) Server), 23 ... Sales support system, 24 ... Customer management system, 25 ... Core system, 26 ... Thin client server, 27 ... Menu 28 ... Attendance management system, 111 ... Authenticated application (1), 112 ... Authenticated application (2), 113 ... Security infrastructure, 114 ... Network (NW) control unit, 115 ... Terminal certificate

Claims (12)

A network system in which a terminal and a gateway server are connected by a plurality of networks,
Platform software operating in the security platform area and an application controlled by the software are installed in the terminal, a network to which the terminal can be connected is detected by the operation of the software, and a predetermined network connection order Accessing the gateway server using a network selected according to
The gateway server stores the correspondence between the network environment and usable applications as a network correspondence table, and notifies the terminal of the correspondence table when accessed from the terminal.
The terminal displays an icon of the usable application according to the correspondence table notified from the gateway server, and when the displayed icon is selected, communication of the application corresponding to the selected icon is performed. A network system characterized by being performed using a corresponding network environment. The gateway server stores the encryption method corresponding to the network environment and the usable application in the correspondence table, and also notifies the encryption method when notifying the correspondence table to the terminal,
The network according to claim 1, wherein when the displayed icon is selected, the terminal performs communication of an application corresponding to the selected icon using a corresponding network environment and an encryption method. system.   When the displayed icon is selected, the terminal again detects a network to which the terminal can be connected, refers to the correspondence table, and whether there is a combination of the network environment that can be connected to the application of the selected icon. 3. The network system according to claim 2, wherein if there is one combination, communication with the application is performed by an encryption method corresponding to the application.   When the displayed icon is selected, the terminal again detects a network to which the terminal can be connected, refers to the correspondence table, and whether there is a combination of the network environment that can be connected to the application of the selected icon. If there are a plurality of combinations, a network that can be connected is specified according to a predetermined network connection order, and communication with the application is performed with an encryption method corresponding to the application in the determined network environment. The network system according to claim 2, wherein the network system is performed. When a terminal accesses a gateway server using a network selected according to a predetermined network connection order, the terminal uses a terminal certificate that is encrypted and stored using an encryption method corresponding to the selected network. Access
5. The network system according to claim 1, wherein the gateway server performs decryption by a decryption method corresponding to the encryption method, and authenticates the terminal certificate.   6. The network system according to claim 1, wherein the application operating in the security platform area accesses data of a system connected to the gateway server.   7. The network system according to claim 1, further comprising an application distribution server that downloads an application operating in a security platform area to a terminal via a gateway server. Connect to the gateway server and provide a terminal management server to manage the state of the terminal,
The terminal transmits information of an application operating in a security platform area to the terminal management server via the gateway server,
The network system according to claim 1, wherein the terminal management server stores information on an application operating in the security platform area in the terminal.   The terminal operates in the security platform area, detects a network to which the terminal can be connected, accesses the gateway server using a network selected according to a predetermined network connection order, and is notified from the gateway server. The network correspondence table in which the correspondence between the network environment and the usable application is set is received, the icon of the usable application is displayed according to the correspondence table, and the selected icon is selected when the displayed icon is selected. A computer program for performing communication of an application corresponding to a displayed icon using a corresponding network environment.   In the terminal, the correspondence table received from the gateway server is also set with the encryption method corresponding to the network environment and the usable application. When the displayed icon is selected, the application corresponding to the selected icon is selected. The computer program according to claim 9, wherein the communication is performed using a corresponding network environment and an encryption method.   When the displayed icon is selected in the terminal, the network to which the terminal can be connected is detected again, the correspondence table is referenced, and there is a combination of the network environment that can be connected to the application of the selected icon. The computer program according to claim 10, wherein if there is one combination, communication with the application is performed by an encryption method corresponding to the application.   When the displayed icon is selected in the terminal, the network to which the terminal can be connected is detected again, the correspondence table is referenced, and there is a combination of the network environment that can be connected to the application of the selected icon. If there are a plurality of combinations, a network that can be connected is specified according to a predetermined network connection order, and communication with the application is performed with an encryption method corresponding to the application in the determined network environment. The computer program according to claim 10, wherein the computer program is performed.

Images