WO2014033492A1 - Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles - Google Patents

Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles Download PDF

Info

Publication number
WO2014033492A1
WO2014033492A1 PCT/IB2012/001679 IB2012001679W WO2014033492A1 WO 2014033492 A1 WO2014033492 A1 WO 2014033492A1 IB 2012001679 W IB2012001679 W IB 2012001679W WO 2014033492 A1 WO2014033492 A1 WO 2014033492A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
user
profile
user equipment
equipment node
Prior art date
Application number
PCT/IB2012/001679
Other languages
French (fr)
Inventor
Joerg Niemoeller
Stefan Avesand
Leonid Mokrushin
Farjola Zaloshnja
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to US14/424,097 priority Critical patent/US10122726B2/en
Priority to EP12769470.1A priority patent/EP2891340A1/en
Priority to PCT/IB2012/001679 priority patent/WO2014033492A1/en
Publication of WO2014033492A1 publication Critical patent/WO2014033492A1/en
Priority to IN1254DEN2015 priority patent/IN2015DN01254A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/306User profiles

Definitions

  • the present disclosure relates to communication networks and, more particularly, to controlling the distribution and operation of applications on user equipment nodes.
  • the downloading process typically involves a user opening the marketplace application and entering a key word that is to be used to search for a desired application.
  • the user may select among buttons representing categories of applications, such as "games” or “featured.” In either case, the user is presented with a listing of applications from which to choose.
  • an application can access or attempt to access any or all resources that are available on or through the user equipment. For example, an application may access the user's private contact information, determine the user's location, track the user's typing or data entering into other applications, and share information or seek information with others through one or more network connections (e.g., cellular, WiFi, etc.) provided by the user equipment.
  • Some operating systems attempt to regulate what rights an application is granted, by querying the user for such permissions when the application is granted.
  • some users may not adequately consider such queries when responding, or may not understand the possible unacceptable consequences of providing permission for an application to have various resource rights.
  • the present processes for finding, installing, and controlling applications on user equipment nodes continues to be unreasonably burdensome to some users and can fail to sufficiently safeguard users' interests.
  • One embodiment is directed to a method by at least one network node of an application control system for controlling operation of applications on user equipment nodes.
  • the method includes receiving user information that identifies a user of the user equipment node and application information that identifies an application that the user has selected for installation on the user equipment node.
  • a user profile is retrieved from among a plurality of user profiles in a user profile repository using the user information to identify the user profile.
  • the user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node.
  • An application profile is retrieved from among a plurality of application profiles in an application profile repository using the application information to identify the application profile.
  • the application profile indicates resources of the user equipment node that the application will access during operation.
  • Settings configuration information is generated responsive to the user profile and the application profile, and indicates what permissions are to be granted to the application while operating on the user equipment node.
  • the application and the settings configuration information is communicated through a data network to the user equipment node for installation of the application and configuration of the permissions that are to be granted to the application during operation.
  • a potential advantage of this approach is that a user can define various security, privacy, and other criteria preferences for restricting access by applications to resources, such as personal data, contact information, hardware components, and/or other applications that are part of and/or are accessible through the user equipment node.
  • the user profile can be defined without being restricted for use with any one particular application, but instead can be used for any application that will be installed on the user equipment node.
  • the user profile can then be used whenever an application in installed on the user equipment node to automate configure the application's settings so that the application operates in a manner that is acceptable to the user.
  • configuration of the application settings in this manner may be performed using a more exhaustive level of analysis than may be possible by a user who may know far less information as to the effect of various application settings on the resources that will be accessed by a particular application during operation.
  • Another embodiment is directed to a method by a user equipment node for controlling operation of applications on the user equipment node.
  • the method includes receiving an application from at least one network node through a data network.
  • Settings configuration information is received from the at least one network node.
  • the settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node.
  • the application is installed on the user equipment node to enable a user to initiate operation of the application through a user interface of the user equipment node.
  • Permission settings are configured for the application, responsive to the settings configuration information, that restrict what resources of the user equipment node the application will be allowed to access during operation.
  • the at least one network node includes a user profile repository, an application profile repository, and an application installation and settings controller.
  • the user profile repository stores a plurality of user profiles, where each of the user profiles indicates a user's preferences for restricting access by applications to resources of a user equipment node.
  • the application profile repository stores a plurality of application profiles, where each of the application profiles indicates resources of a user equipment node that an application will access during operation.
  • the application installation and settings controller receives user information that identifies a user of a user equipment node and application information that identifies an application that the user has selected for installation on the user equipment node.
  • the application installation and settings controller retrieves one of the user profiles from among the plurality of user profiles stored at the user profile repository using the user information to identify the user profile, and retrieves one of the application profiles from among the plurality of application profiles stored at the application profile repository using the application information to identify the application profile.
  • the application installation and settings controller generates settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node.
  • the controller communicates the application and the settings configuration information through a data network to the user equipment node for installation of the application and configuration of the permissions that are to be granted to the application during operation.
  • Figure 1 is a block diagram of an application control system that is configured to operate according to some embodiments
  • Figure 2 is a data flow diagram illustrating example operations and methods for registering applications to generate application profiles, according to some embodiments
  • Figure 3 is a data flow diagram illustrating example operations and methods for generating user profiles, according to some embodiments.
  • Figure 4 is a data flow diagram illustrating example operations and methods for identifying applications, installing applications, and configuring application settings responsive to a user profile and an application profile, according to some embodiments;
  • Figure 5 is a data flow diagram illustrating example operations and methods for generating updated user settings and reconfiguring application settings responsive to the updated user settings, according to some embodiments
  • Figures 6-12 are flowcharts of operations and methods performed by one or more network nodes of an application control system to control operation of an application on a user equipment node, according to some embodiments;
  • Figures 13-14 are flowcharts of operations and methods performed by a user equipment node to configure permission settings of an application, according to some embodiments; and [0020]
  • Figure 15 is a block diagram of an example network node in an application control system, which is configured to operate according to some embodiments.
  • FIG. 1 is a block diagram of an application control system 100 that is configured to operate according to some embodiments.
  • the application control system 100 can communicate with user equipment nodes 120 via a data network 150 (e.g., wide area network) and a wired and/or radio access network 152.
  • the application control system 100 can contain information that indicates a user's preferences for privacy, security, and/or other user defined criteria, and can assist a user with selecting applications that satisfy those known user preferences.
  • the system 100 can also download an application to the user equipment node 120 and can automatically configure the settings of the application to restrict the operation of the application on the user equipment node 120 in ways that satisfy the known privacy, security, and/or other defined preferences of the user.
  • the application control system 100 can include an application query controller
  • the application query controller 108 can generate an application profile for each of the applications, where the application profile indicates resources of a user equipment node that the application will access during operation.
  • the application profiles can be stored in an application profile repository 104.
  • the application query controller 108 may identify, for example, what resource rights an application needs in order to perform various identified modes of operation of the application, and may further identify resource rights that the application may seek but which are needed only for information collection and not for an operational mode that is provided to the user (e.g., background tracking of feature utilization for communication to an application developer without knowledge of the user).
  • Resources of the user equipment node 120 can include, but are not limited to, personal data of the user, contact information (e.g.,
  • the application control system 100 may provide a secure application store
  • an independent application store 160 which can be networked through the data network 150 to the application control system 100, can contain applications that may not have been examined to identify their resource needs and privacy/security risks, and for which associated application profiles may have not been generated and stored in the application profile repository 104.
  • a user may, for example, browse applications through the secure application store 1 10 to view privacy and security ratings and information associated with the various applications that have been examined, and to further view pricing of the applications.
  • the secure application store 1 10 may warn a user about applications that are known to operate in a malicious or generally privacy invasive manner (e.g., uses the camera and/or microphone of the user equipment node without informing the user and/or without obtaining user
  • a user may choose to purchase an application through the secure application store 1 10 instead of the independent application store 160 because of the ability to
  • applications that are listed by, or obtainable through, the secure application store 110 may be guaranteed to be free of malware and unwanted privacy breaching operations, and may be operationally compatible for use under the criteria that the user has defined in the user's profile.
  • FIG. 2 is a data flow diagram that illustrates example operations and methods for registering applications to generate application profiles, according to some embodiments.
  • the application query controller 108 can analyze applications in the secure application store 160, and may further analyze applications in the independent application store 110, to generate (block 206) information that characterizes what resources each application will access (e.g., to receive information from, send information to, and/or execute using) during operation on the user equipment node 120.
  • the application query controller 108 stores (block 204) information characterizing the application in the application profile repository 104.
  • the application profile repository 104 can store a plurality of application profiles, where each of the application profiles indicates resources of the user equipment node 120 that an application will access during operation.
  • Analysis of the applications may or may not be fully automated without human intervention. It is contemplated that in some embodiments, personnel of a security service provider will review applications to identify their resource preferences/requirements, and will generate at least a portion of the application profiles for the analyzed applications.
  • the application query controller 108 may copy the analyzed applications from the independent application store 110 to the secure application store 160.
  • the secure application store 160 may therefore contain the same applications as the independent application store 110, when those applications have been analyzed.
  • the application query controller 108 may create reference pointers to applications that have been analyzed in the independent application store 110 and store the reference pointers in the secure application store 160, which will allow a user to browse applications listed in the secure application store 110 and select an application that is to be downloaded, using the associated reference pointer, from the independent application store 110 to the user equipment node.
  • the application control system 100 can know a user's preferences for what privacy and security related information and resources can be accessible to applications during operation on the user equipment node.
  • the system 100 can generate a user profile which defines those preferences, and may query the user through a question and answer message dialogue about what resources, information, and other privacy and security related operations are considered by the user to be acceptable during operation of an application on the user equipment node.
  • FIG. 3 is a data flow diagram illustrating example operations and methods for generating user profiles, according to some embodiments.
  • the application control system 100 can include an application installation and settings controller 102.
  • a user can operate the user equipment node 120 to log into the user's account and initiate registration (block 300) of a user application profile.
  • the controller 102 can generate (block 302) user profile information that indicates the user's preferences for restricting access by applications to resources of the user equipment node 120.
  • the controller 102 can store (block 304) the user profile information in the user profile repository 106 associated with an identifier for the user's account.
  • the user profile repository 106 can store a plurality of user profiles, where each of the user profiles indicates a user's preferences for restricting access by applications to resources of the user equipment node 120.
  • the user profile information may be obtained by generating question prompts to the user and receiving responsive answers from the user through the data network 150 and the user equipment node 120 operated by the user.
  • the questions may be defined to gauge the level of acceptability to the user if an application accesses defined types of information and/or applications (e.g., contact information, address information, geographic location information, user activity tracking, tracking information input to or output from the application and/or other applications, etc.), if an application accesses defined types of hardware resources of a user equipment node (e.g., cellular network interfaces, wired network interfaces, Bluetooth network interfaces, near field communication interfaces, and/or wireless local area network interfaces to allow communication by the network node outside the user equipment node, positioning modules such as GPS, removable memory module, etc.).
  • cellular network interfaces e.g., wired network interfaces, Bluetooth network interfaces, near field communication interfaces, and/or wireless local area network interfaces to allow communication by the network node outside the user equipment node, positioning modules such as GPS
  • the user may be able to choose from among a plurality of sets of defined user profile information that are typically determined to be acceptable to users, or the user may be provided with a default set of user profile information that the user can modify in various manners to increase/decrease various privacy/security/other constraints on applications.
  • Figure 4 is a data flow diagram illustrating example operations and methods for identifying applications, installing applications, and configuring application settings responsive to a user profile and an application profile, according to some embodiments.
  • a user generates (block 400) an application query that identifies the user and at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node 120.
  • the application query controller 108 receives the query and retrieves (block 402) one of the user profiles from among the plurality of user profiles stored at the user profile repository 106 using the user information to identify the user profile.
  • the user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120.
  • the application query controller 108 uses the user profile and application profiles in the application profile repository 104 to identify (block 404) applications that satisfy criteria defined by the user's profile.
  • the application query controller 108 may use the user profile to select between searching for applications within the secure application store 110, which can contain applications that have corresponding application profiles stored in the application profile repository 104, and the independent application store 160, which can contain applications that do not have corresponding application profiles stored in the application profile repository 104.
  • the application query controller 108 identifies (block 404) to the user equipment node 120 which applications satisfy criteria defined by the user's profile and which further satisfy conditions of the user's query (e.g., user defined search keywords, categories, etc.).
  • the application query controller 108 can also warn the user when an application has one or more operational modes that have privacy and/or security issues that may be undesirable to a user.
  • the application query controller 108 can also warn the user when the application will be constrained, by settings configurations which meet the user profile criteria, to one or more operational modes that provide less than full functionality and/or which provide reduced functionality operational modes.
  • the application profile can indicate a plurality of modes of operation of the application, where each of the modes of operation has a different group of resources that the application will access during operation.
  • the application query controller 108 can identify which, if any, of the operational modes satisfy the criteria defined by the user's profile, and can warn the user of which operational modes will be allowed and/or which operational modes will not be allowed when the application settings are configured pursuant to the criteria defined by the user's profile.
  • the user generates (block 406) an application request, via the user equipment node 120.
  • the controller 102 receives the user information that identifies the user of the user equipment node (120) and application information that identifies the application that the user has selected for installation on the user equipment node 120.
  • the application is obtained (block 408) from the secure application store 110 or the independent application store 160 (e.g., depending upon the user's profile).
  • the user profile is retrieved (block 410) from among the plurality of user profiles in the user profile repository 106 using the user information to identify the user profile.
  • the application profile is retrieved (block 410) from among a plurality of application profiles in the application profile repository 104 using the application information to identify the application profile.
  • Settings configuration information is generated (block 412) responsive to the user profile and the application profile, where the settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node 120.
  • the controller 102 communicates (block 414) the application and the settings configuration information through the data network 150 to the user equipment node 120.
  • the application profile may indicate a plurality of modes of operation of the application, where each of the modes of operation having a different group of resources that the application will access.
  • the controller 102 can select among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile, and can generate the settings configuration information to indicate that a selected mode of operation having a corresponding group of resources is permitted to be granted to the application while operating on the user equipment node 120.
  • the controller 102 When the controller 102 determines that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile, it can communicate a message through the data network 150 to the user equipment node 120 informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
  • the user equipment node 120 receives (block 416) the application and the settings configuration information, installs the application to enable user initiated operation of the application through a user interface of the user equipment node 120, and configures permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings configuration information.
  • the application settings can be automatically configured by the user equipment node 120, without needing input from the user during such configuration, by using the settings configuration information which is generated by the application installation and settings controller 102.
  • a user can therefore define various security, privacy, and/or other criteria when defining the user profile, and the user profile can then be used whenever installing an application on the user equipment node to automate configuration of the application settings so that the application operates in a manner that is acceptable to the user, as defined by the user profile criteria.
  • configuration of the application settings in this manner may be performed using a more exhaustive level of analysis than may be possible by a user who may know far less information as to the effect of various application settings on the resources that will be accessed by a particular application during operation.
  • FIG. 5 is a data flow diagram illustrating example operations and methods for generating updated user settings and reconfiguring application settings responsive to the updated user settings, according to some embodiments.
  • the user operates the user equipment node 120 to modify (block 500) the defined preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120, and communicate the modified criteria to the application installation and settings controller 102.
  • the controller 102 receives (block 502) the updated privacy and security preferences information, from the user through the data network 150, and generates (block 502) an updated user profile responsive to the updated privacy and security preferences information.
  • the updated user profile is stored (block 504) in the user profile repository 106 associated with the identifier for the user.
  • the controller 102 generates (block 508) updated settings configuration information, responsive to the updated user profile and the application profile, and communicates (block 510) the updated settings configuration information through the data network 150 to the user equipment node 120.
  • the user equipment node 120 responds thereto by reconfiguring (block 512) the application settings permissions that are granted to the application during operation on the user equipment node 120.
  • the system 100 and the user equipment node 120 may communicate through a secure communication channel using, for example, Extensible Markup Language (XML).
  • XML Extensible Markup Language
  • Figures 6-12 are flowcharts of operations and methods performed by one or more network nodes (e.g., the application installation and settings controller 102 and the application query controller 108 of the application control system 100) to control operation of an application on a user equipment node (e.g., the application equipment node 120) according to some embodiments.
  • network nodes e.g., the application installation and settings controller 102 and the application query controller 108 of the application control system 100
  • a user equipment node e.g., the application equipment node 120
  • user information is received (block 600) by the network node that identifies a user of the user equipment node 120 and application information that identifies an application that the user has selected for installation on the user equipment node 120.
  • the network node retrieves (block 602) a user profile from among a plurality of user profiles in the user profile repository 106 using the user information to identify the user profile.
  • the user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120.
  • the network node retrieves (block 604) an application profile from among a plurality of application profiles in the application profile repository 104 using the application information to identify the application profile.
  • the application profile indicates resources of the user equipment node 120 that the application will access during operation.
  • the network node generates (block 606) settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node 120.
  • the network node communicates (block 608) the application and the settings configuration information through a data network 150 to the user equipment node 120 for installation of the application and configuration of the permissions that are to be granted to the application during operation.
  • the user equipment node 120 receives (block 700) the application and the settings configuration information, and installs (block 702) the application to enable user initiated operation of the application through a user interface of the user equipment node 120.
  • the user equipment node 120 configures (block 704) permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings
  • Some further embodiments are directed to various types of information that can be communicated through an application profile, and to defining how that information can be used to control settings of the corresponding application.
  • the application profile indicates a plurality of modes of operation of the application, where each of the modes of operation has a different group of resources that the application will access.
  • the application profile may indicate first, second, and third modes of operation by the application, where the first mode of operation of the application provides more functionality than the second and third modes of operation of the application, and where the first mode of operation of the application uses a first group of the resources that is a superset that includes second and third groups of the resources used, respectively, by the second and third modes of operation of the application.
  • generation of the settings configuration information can include selecting (block 800) among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile, and can further include generating (block 802) the settings configuration information to indicate that a selected mode of operation which uses a corresponding group of resources is permitted to be granted to the application while operating on the user equipment node 120.
  • Generation of the settings configuration information can further include indicating that a non-selected one or more modes of operation using a correspond one or more groups of resources are not permitted to be granted to the application while operating on the user equipment node 120.
  • the system 100 can inform a user when no applications satisfy the criteria defined by the user profile.
  • the method and operation can include determining (block 900) that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile, and communicating (block 902) a message through the data network 150 to the user equipment node 120 informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
  • Some further embodiments are directed to various ways that the user profile can be created, and how later changes to the user's profile can cause updated settings configuration information to be generated and communicated to the user equipment node for use in reconfiguring the settings of the corresponding application that installed on the user equipment node.
  • privacy and security preferences information is received (block 1000) from the user through the data network 150, and which indicates the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120.
  • the user profile is generated (block 1002) responsive to the privacy and security preferences information from the user.
  • the user profile is stored (block 1004) in the user profile repository 106 associated with an identifier for the user.
  • the privacy and security preferences information can be received (block 1000) responsive to the user logging into a subscriber account and initiating generation of the user profile, which can then initiate operations for obtaining the privacy and security preferences information from the user by generation of question prompts that are sent to the user, and responsive answers that are received from the user through the data network 150 and the user equipment node 120 operated by the user.
  • updated privacy and security preferences information is received (block 1100) from the user through the data network 150, that indicates changes in the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120.
  • An updated user profile is generated (block 1102) responsive to the updated privacy and security preferences information.
  • the updated user profile is stored (block 1104) in the user profile repository 106 associated with the identifier for the user.
  • Updated settings configuration information is generated (block 1106) responsive to the updated user profile and the application profile.
  • the updated settings configuration information is communicated (block 1108) through the data network 150 to the user equipment node 120 to cause the user equipment node 120 to reconfigure the permissions (application settings) that are to be granted to the application during operation.
  • Some further embodiments are directed to operations and methods for controlling the application query controller 108 to select between querying the independent application store 160 and the secure application store 110 depending upon the user's profile.
  • an application query is received (block 1200) that identifies at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node 120. Responsive to the user profile, a selection (block 1202) is made between searching for the candidate applications within the secure application store 110, which contains applications that have corresponding application profiles stored in the application profile repository (104), and the independent application store 160, which contains applications that do not have corresponding application profiles stored in the application profile repository 104.
  • the candidate applications are identified (block 1204) responsive to the at least one keyword and residing in the selected one of the secure application store and the independent application store.
  • the candidate applications are communicated (block 1206) to the user equipment node 120.
  • Some further embodiments are directed to corresponding operations and methods by a user equipment node 120 to control operation of applications on a user equipment node 120.
  • an application is received (block 1300) from at least one network node 100 through a data network 150.
  • Settings configuration information is received (block 1302) from the at least one network node 100, where the settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node 120.
  • the application is installed (block 1304) to enable user initiated operation of the application through a user interface of the user equipment node 120.
  • the permission settings are configured (1306) for the application, responsive to the settings configuration information, to restrict what resources of the user equipment node 120 the application will be allowed to access during operation.
  • the operations and methods include retrieving (block 1400) a user profile that is stored at the user equipment node 120.
  • the user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120.
  • the user profile and application information which identifies the application that the user has selected for installation on the user equipment node 120, is communicated (block 1402) to the at least one network node 100.
  • the user equipment node can be any type of electronic device that can receive applications from a network node via a data network, and can control operation of the application on the user equipment node.
  • User equipment nodes can include, but are not limited to, fixed/mobile/transportable terminals (e.g., smart phones and tablet computers), televisions, gaming consoles, and desktop computers.
  • the example user equipment node 120 includes a processor circuit 122, memory circuitry/devices 124, and one or more network interfaces 134.
  • the one or more network interfaces 134 can include a cellular transceiver 136, a wired network interface 138, a wireless local area network transceiver 140, a Bluetooth transceiver 140, and/or a near field communication transceiver 140.
  • the processor circuit 122 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor).
  • the processor circuit 122 is configured to execute computer program instructions from functional modules in the memory devices 124, described below as a computer readable medium, to perform some or all of the operations and methods that are described above for one or more of the embodiments disclosed herein, such as the embodiments of Figures 1-14.
  • the functional modules can include an application installation module 126, an application settings module 130, applications 128, and user data 132.
  • the application installation module 126 is configured to install an application, which is received via the one or more network interfaces 134, for operation on the user equipment node 120 (e.g., execution by the processor 122).
  • the application settings module 130 configures permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings configuration information.
  • the applications 128 may include one or more applications that are downloaded from the secure application store 110 and/or the
  • the user data 132 may include, for example, contact information (e.g. phonebook), application data, and other information items that may be treated as resources who's access privileges by particular ones of the applications is controlled by the settings configuration information received from the system 100 with the corresponding applications.
  • contact information e.g. phonebook
  • application data e.g., application data
  • other information items that may be treated as resources who's access privileges by particular ones of the applications is controlled by the settings configuration information received from the system 100 with the corresponding applications.
  • the user equipment node 120 may include a user input interface 142, display device 144, a speaker 146, and/or a microphone 148, one or more of which may be treated as resources who's access privileges by particular ones of the applications is controlled by the settings configuration information received from the system 100 with the corresponding applications.
  • Example Network Node [0065] Example Network Node:
  • FIG. 15 is a block diagram of an example network node 1500, which may be used for the application installation in settings controller 102, the application query controller 108, the application profile repository 104, the user profile repository 106, the secure application store 110, and/or the independent application store 160.
  • the network node 1500 can include one or more network interfaces 1530, processor circuitry 1510, and memory circuitry/devices 1520 that contain functional modules 1522.
  • the processor circuitry 1510 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor).
  • the processor circuitry 1510 is configured to execute computer program instructions from the functional modules 1522 in the memory circuitry/devices 1520, described below as a computer readable medium, to perform some or all of the operations and methods that are described above for one or more of the embodiments disclosed herein, such as the embodiments of Figures 1- 14.
  • Example embodiments are described herein with reference to block diagrams and/or flowchart illustrations of computer-implemented methods, apparatus (systems and/or devices) and/or computer program products. It is understood that a block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits.
  • These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).
  • These computer program instructions may also be stored in a tangible computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer- readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks.
  • a tangible, non-transitory computer-readable medium may include an electronic, magnetic, optical, electromagnetic, or semiconductor data storage system, apparatus, or device. More specific examples of the non-transitory computer-readable medium would include the following: a portable computer diskette, a random access memory (RAM) circuit, a read-only memory (ROM) circuit, an erasable programmable read-only memory (EPROM or Flash memory) circuit, a portable compact disc read-only memory (CD- ROM), and a portable digital video disc read-only memory (DVD/BlueRay).
  • RAM random access memory
  • ROM read-only memory
  • EPROM or Flash memory erasable programmable read-only memory
  • CD- ROM compact disc read-only memory
  • DVD/BlueRay portable digital video disc read-only memory
  • the computer program instructions may also be loaded onto a computer and/or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer and/or other programmable apparatus to produce a computer- implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
  • embodiments of the present invention may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) that runs on a processor such as a digital signal processor, which may collectively be referred to as "circuitry," "a module” or variants thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Methods, network nodes, and user equipment nodes are disclosed that control the operation of applications on user equipment nodes. A method includes receiving user information that identifies a user of the user equipment node (120) and application information that identifies an application that the user has selected for installation on the user equipment node. A user profile is retrieved from a user profile repository (106) using the user information, and an application profile is retrieved from an application profile repository (104) using the application information. Settings configuration information is generated responsive to the user profile and the application profile, and indicates what permissions are to be granted to the application while operating on the user equipment node. The application and the settings configuration information is communicated to the user equipment node (120) for installation of the application and configuration of the permissions that are to be granted to the application during operation.

Description

METHODS AND APPARATUS FOR CONTROLLING PERMISSIONS TO BE GRANTED TO APPLICATIONS ON USER EQUIPMENT RESPONSIVE TO USER PRIVACY PROFILES
TECHNICAL FIELD
[0001] The present disclosure relates to communication networks and, more particularly, to controlling the distribution and operation of applications on user equipment nodes.
BACKGROUND
[0002] Increasingly, users install a wide range of applications (also commonly referred to as "apps") on a wide range of hardware platforms. For example, users install applications on cellular telephones— sometimes called "smart phones"— for literally thousands of purposes. Such applications may be downloaded from a "marketplace" or "application store," which may be configured as a single organization, typically managed by a cellular telephone service provider or device manufacturer. Accordingly, a cellular telephone provider is able to serve applications (both free and paid) to a captive audience of cellular subscribers. Other device types (TVs, etc.) may be similarly managed to receive applications from a single source.
[0003] The downloading process typically involves a user opening the marketplace application and entering a key word that is to be used to search for a desired application. Alternatively, the user may select among buttons representing categories of applications, such as "games" or "featured." In either case, the user is presented with a listing of applications from which to choose.
[0004] This system is problematic for many reasons. Once installed, an application can access or attempt to access any or all resources that are available on or through the user equipment. For example, an application may access the user's private contact information, determine the user's location, track the user's typing or data entering into other applications, and share information or seek information with others through one or more network connections (e.g., cellular, WiFi, etc.) provided by the user equipment. Some operating systems attempt to regulate what rights an application is granted, by querying the user for such permissions when the application is granted. However, some users may not adequately consider such queries when responding, or may not understand the possible unacceptable consequences of providing permission for an application to have various resource rights. For these and other reasons, the present processes for finding, installing, and controlling applications on user equipment nodes continues to be unreasonably burdensome to some users and can fail to sufficiently safeguard users' interests.
[0005] The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
SUMMARY
[0006] It may therefore be an object to address at least some of the above mentioned disadvantages and/or to provide improved control over the configuration and operation of applications on user equipment nodes.
[0007] One embodiment is directed to a method by at least one network node of an application control system for controlling operation of applications on user equipment nodes. The method includes receiving user information that identifies a user of the user equipment node and application information that identifies an application that the user has selected for installation on the user equipment node. A user profile is retrieved from among a plurality of user profiles in a user profile repository using the user information to identify the user profile. The user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node. An application profile is retrieved from among a plurality of application profiles in an application profile repository using the application information to identify the application profile. The application profile indicates resources of the user equipment node that the application will access during operation. Settings configuration information is generated responsive to the user profile and the application profile, and indicates what permissions are to be granted to the application while operating on the user equipment node. The application and the settings configuration information is communicated through a data network to the user equipment node for installation of the application and configuration of the permissions that are to be granted to the application during operation.
[0008] A potential advantage of this approach is that a user can define various security, privacy, and other criteria preferences for restricting access by applications to resources, such as personal data, contact information, hardware components, and/or other applications that are part of and/or are accessible through the user equipment node. The user profile can be defined without being restricted for use with any one particular application, but instead can be used for any application that will be installed on the user equipment node. The user profile can then be used whenever an application in installed on the user equipment node to automate configure the application's settings so that the application operates in a manner that is acceptable to the user. Moreover, configuration of the application settings in this manner may be performed using a more exhaustive level of analysis than may be possible by a user who may know far less information as to the effect of various application settings on the resources that will be accessed by a particular application during operation.
[0009] Another embodiment is directed to a method by a user equipment node for controlling operation of applications on the user equipment node. The method includes receiving an application from at least one network node through a data network. Settings configuration information is received from the at least one network node. The settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node. The application is installed on the user equipment node to enable a user to initiate operation of the application through a user interface of the user equipment node. Permission settings are configured for the application, responsive to the settings configuration information, that restrict what resources of the user equipment node the application will be allowed to access during operation.
[0010] Another embodiment is directed to at least one network node that controls operation of applications on a user equipment node. The at least one network node includes a user profile repository, an application profile repository, and an application installation and settings controller. The user profile repository stores a plurality of user profiles, where each of the user profiles indicates a user's preferences for restricting access by applications to resources of a user equipment node. The application profile repository stores a plurality of application profiles, where each of the application profiles indicates resources of a user equipment node that an application will access during operation. The application installation and settings controller receives user information that identifies a user of a user equipment node and application information that identifies an application that the user has selected for installation on the user equipment node. The application installation and settings controller retrieves one of the user profiles from among the plurality of user profiles stored at the user profile repository using the user information to identify the user profile, and retrieves one of the application profiles from among the plurality of application profiles stored at the application profile repository using the application information to identify the application profile. The application installation and settings controller generates settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node. The controller communicates the application and the settings configuration information through a data network to the user equipment node for installation of the application and configuration of the permissions that are to be granted to the application during operation.
[0011] Other methods and apparatuses according to embodiments of the invention will be or become apparent to one with skill in the art upon review of the following drawings and detailed description. It is intended that all such additional methods and apparatuses be included within this description, be within the scope of the present invention, and be protected by the accompanying claims. Moreover, it is intended that all embodiments disclosed herein can be implemented separately or combined in any way and/or combination.
BRIEF DESCRIPTION OF THE DRAWINGS
[0012] The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this application, illustrate certain non-limiting embodiment(s) of the invention. In the drawings:
[0013] Figure 1 is a block diagram of an application control system that is configured to operate according to some embodiments;
[0014] Figure 2 is a data flow diagram illustrating example operations and methods for registering applications to generate application profiles, according to some embodiments;
[0015] . Figure 3 is a data flow diagram illustrating example operations and methods for generating user profiles, according to some embodiments;
[0016] Figure 4 is a data flow diagram illustrating example operations and methods for identifying applications, installing applications, and configuring application settings responsive to a user profile and an application profile, according to some embodiments;
[0017] Figure 5 is a data flow diagram illustrating example operations and methods for generating updated user settings and reconfiguring application settings responsive to the updated user settings, according to some embodiments;
[0018] Figures 6-12 are flowcharts of operations and methods performed by one or more network nodes of an application control system to control operation of an application on a user equipment node, according to some embodiments;
[0019] Figures 13-14 are flowcharts of operations and methods performed by a user equipment node to configure permission settings of an application, according to some embodiments; and [0020] Figure 15 is a block diagram of an example network node in an application control system, which is configured to operate according to some embodiments.
DETAILED DESCRIPTION
[0021] The invention will now be described more fully hereinafter with reference to the accompanying drawings, in which embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein.
[0022] Figure 1 is a block diagram of an application control system 100 that is configured to operate according to some embodiments. The application control system 100 can communicate with user equipment nodes 120 via a data network 150 (e.g., wide area network) and a wired and/or radio access network 152. The application control system 100 can contain information that indicates a user's preferences for privacy, security, and/or other user defined criteria, and can assist a user with selecting applications that satisfy those known user preferences. The system 100 can also download an application to the user equipment node 120 and can automatically configure the settings of the application to restrict the operation of the application on the user equipment node 120 in ways that satisfy the known privacy, security, and/or other defined preferences of the user.
[0023] The application control system 100 can include an application query controller
108 that determines what resources will be used by various applications during their operation on a user equipment node, and may further identify particular privacy and security problems that can occur during their operation. The application query controller 108 can generate an application profile for each of the applications, where the application profile indicates resources of a user equipment node that the application will access during operation. The application profiles can be stored in an application profile repository 104. The application query controller 108 may identify, for example, what resource rights an application needs in order to perform various identified modes of operation of the application, and may further identify resource rights that the application may seek but which are needed only for information collection and not for an operational mode that is provided to the user (e.g., background tracking of feature utilization for communication to an application developer without knowledge of the user). Resources of the user equipment node 120 can include, but are not limited to, personal data of the user, contact information (e.g.,
phonebook, email addresses, etc.), hardware components (e.g., network interface(s), camera, GPS/geographic location determining module), speaker device, microphone device, display device, etc.), and/or other applications that are part of and/or are accessible through the user equipment node.
[0024] The application control system 100 may provide a secure application store
110, which may be provided via a website and may show some or all of the same applications as an independent application store 160. Applications in the secure application store have been examined to determine their resource needs and privacy/security risks during their operation, and application profiles have been generated for each of the applications and stored in the application profile repository 104. In contrast, an independent application store 160, which can be networked through the data network 150 to the application control system 100, can contain applications that may not have been examined to identify their resource needs and privacy/security risks, and for which associated application profiles may have not been generated and stored in the application profile repository 104. User's may choose to download applications from either the secure application store 110 or the independent application store 160, however users may be charged a higher price for applications downloaded from the secure application store 110 because of the added value of the application analysis that has been performed and the automated configuration of application settings that will be described in more detail below.
[0025] A user may, for example, browse applications through the secure application store 1 10 to view privacy and security ratings and information associated with the various applications that have been examined, and to further view pricing of the applications. The secure application store 1 10 may warn a user about applications that are known to operate in a malicious or generally privacy invasive manner (e.g., uses the camera and/or microphone of the user equipment node without informing the user and/or without obtaining user
permission). A user may choose to purchase an application through the secure application store 1 10 instead of the independent application store 160 because of the ability to
automatically configured settings of a purchased application using the criteria that the user has defined in the user's profile. Moreover, applications that are listed by, or obtainable through, the secure application store 110 may be guaranteed to be free of malware and unwanted privacy breaching operations, and may be operationally compatible for use under the criteria that the user has defined in the user's profile.
[0026] Figure 2 is a data flow diagram that illustrates example operations and methods for registering applications to generate application profiles, according to some embodiments. During an application registration process (blocks 200 and 202), the application query controller 108 can analyze applications in the secure application store 160, and may further analyze applications in the independent application store 110, to generate (block 206) information that characterizes what resources each application will access (e.g., to receive information from, send information to, and/or execute using) during operation on the user equipment node 120. The application query controller 108 stores (block 204) information characterizing the application in the application profile repository 104. The application profile repository 104 can store a plurality of application profiles, where each of the application profiles indicates resources of the user equipment node 120 that an application will access during operation.
[0027] Analysis of the applications may or may not be fully automated without human intervention. It is contemplated that in some embodiments, personnel of a security service provider will review applications to identify their resource preferences/requirements, and will generate at least a portion of the application profiles for the analyzed applications.
[0028] The application query controller 108 may copy the analyzed applications from the independent application store 110 to the secure application store 160. The secure application store 160 may therefore contain the same applications as the independent application store 110, when those applications have been analyzed. Alternatively, the application query controller 108 may create reference pointers to applications that have been analyzed in the independent application store 110 and store the reference pointers in the secure application store 160, which will allow a user to browse applications listed in the secure application store 110 and select an application that is to be downloaded, using the associated reference pointer, from the independent application store 110 to the user equipment node.
[0029] The application control system 100 can know a user's preferences for what privacy and security related information and resources can be accessible to applications during operation on the user equipment node. The system 100 can generate a user profile which defines those preferences, and may query the user through a question and answer message dialogue about what resources, information, and other privacy and security related operations are considered by the user to be acceptable during operation of an application on the user equipment node.
[0030] Figure 3 is a data flow diagram illustrating example operations and methods for generating user profiles, according to some embodiments. The application control system 100 can include an application installation and settings controller 102. A user can operate the user equipment node 120 to log into the user's account and initiate registration (block 300) of a user application profile. The controller 102 can generate (block 302) user profile information that indicates the user's preferences for restricting access by applications to resources of the user equipment node 120. The controller 102 can store (block 304) the user profile information in the user profile repository 106 associated with an identifier for the user's account. The user profile repository 106 can store a plurality of user profiles, where each of the user profiles indicates a user's preferences for restricting access by applications to resources of the user equipment node 120.
[0031] The user profile information may be obtained by generating question prompts to the user and receiving responsive answers from the user through the data network 150 and the user equipment node 120 operated by the user. The questions may be defined to gauge the level of acceptability to the user if an application accesses defined types of information and/or applications (e.g., contact information, address information, geographic location information, user activity tracking, tracking information input to or output from the application and/or other applications, etc.), if an application accesses defined types of hardware resources of a user equipment node (e.g., cellular network interfaces, wired network interfaces, Bluetooth network interfaces, near field communication interfaces, and/or wireless local area network interfaces to allow communication by the network node outside the user equipment node, positioning modules such as GPS, removable memory module, etc.).
[0032] The user may be able to choose from among a plurality of sets of defined user profile information that are typically determined to be acceptable to users, or the user may be provided with a default set of user profile information that the user can modify in various manners to increase/decrease various privacy/security/other constraints on applications.
[0033] Figure 4 is a data flow diagram illustrating example operations and methods for identifying applications, installing applications, and configuring application settings responsive to a user profile and an application profile, according to some embodiments.
[0034] A user generates (block 400) an application query that identifies the user and at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node 120. The application query controller 108 receives the query and retrieves (block 402) one of the user profiles from among the plurality of user profiles stored at the user profile repository 106 using the user information to identify the user profile. The user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120. The application query controller 108 uses the user profile and application profiles in the application profile repository 104 to identify (block 404) applications that satisfy criteria defined by the user's profile. [0035] The application query controller 108 may use the user profile to select between searching for applications within the secure application store 110, which can contain applications that have corresponding application profiles stored in the application profile repository 104, and the independent application store 160, which can contain applications that do not have corresponding application profiles stored in the application profile repository 104.
[0036] The application query controller 108 identifies (block 404) to the user equipment node 120 which applications satisfy criteria defined by the user's profile and which further satisfy conditions of the user's query (e.g., user defined search keywords, categories, etc.). The application query controller 108 can also warn the user when an application has one or more operational modes that have privacy and/or security issues that may be undesirable to a user. The application query controller 108 can also warn the user when the application will be constrained, by settings configurations which meet the user profile criteria, to one or more operational modes that provide less than full functionality and/or which provide reduced functionality operational modes.
[0037] For example, the application profile can indicate a plurality of modes of operation of the application, where each of the modes of operation has a different group of resources that the application will access during operation. The application query controller 108 can identify which, if any, of the operational modes satisfy the criteria defined by the user's profile, and can warn the user of which operational modes will be allowed and/or which operational modes will not be allowed when the application settings are configured pursuant to the criteria defined by the user's profile.
[0038] The user generates (block 406) an application request, via the user equipment node 120. The controller 102 receives the user information that identifies the user of the user equipment node (120) and application information that identifies the application that the user has selected for installation on the user equipment node 120. The application is obtained (block 408) from the secure application store 110 or the independent application store 160 (e.g., depending upon the user's profile). The user profile is retrieved (block 410) from among the plurality of user profiles in the user profile repository 106 using the user information to identify the user profile. The application profile is retrieved (block 410) from among a plurality of application profiles in the application profile repository 104 using the application information to identify the application profile. Settings configuration information is generated (block 412) responsive to the user profile and the application profile, where the settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node 120. The controller 102 communicates (block 414) the application and the settings configuration information through the data network 150 to the user equipment node 120.
[0039] The application profile may indicate a plurality of modes of operation of the application, where each of the modes of operation having a different group of resources that the application will access. The controller 102 can select among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile, and can generate the settings configuration information to indicate that a selected mode of operation having a corresponding group of resources is permitted to be granted to the application while operating on the user equipment node 120. When the controller 102 determines that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile, it can communicate a message through the data network 150 to the user equipment node 120 informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
[0040] The user equipment node 120 receives (block 416) the application and the settings configuration information, installs the application to enable user initiated operation of the application through a user interface of the user equipment node 120, and configures permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings configuration information.
[0041] Accordingly, the application settings can be automatically configured by the user equipment node 120, without needing input from the user during such configuration, by using the settings configuration information which is generated by the application installation and settings controller 102. A user can therefore define various security, privacy, and/or other criteria when defining the user profile, and the user profile can then be used whenever installing an application on the user equipment node to automate configuration of the application settings so that the application operates in a manner that is acceptable to the user, as defined by the user profile criteria. Moreover, configuration of the application settings in this manner may be performed using a more exhaustive level of analysis than may be possible by a user who may know far less information as to the effect of various application settings on the resources that will be accessed by a particular application during operation. [0042] When the user modifies any of the criteria that are defined by the user profile, the application installation and settings controller 102 can reconfigure the settings of any application that has been installed on the user equipment node 120 so that the applications operate with compliance with the updated user profile. Figure 5 is a data flow diagram illustrating example operations and methods for generating updated user settings and reconfiguring application settings responsive to the updated user settings, according to some embodiments.
[0043] The user operates the user equipment node 120 to modify (block 500) the defined preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120, and communicate the modified criteria to the application installation and settings controller 102. The controller 102 receives (block 502) the updated privacy and security preferences information, from the user through the data network 150, and generates (block 502) an updated user profile responsive to the updated privacy and security preferences information. The updated user profile is stored (block 504) in the user profile repository 106 associated with the identifier for the user.
[0044] The controller 102 generates (block 508) updated settings configuration information, responsive to the updated user profile and the application profile, and communicates (block 510) the updated settings configuration information through the data network 150 to the user equipment node 120. The user equipment node 120 responds thereto by reconfiguring (block 512) the application settings permissions that are granted to the application during operation on the user equipment node 120. The system 100 and the user equipment node 120 may communicate through a secure communication channel using, for example, Extensible Markup Language (XML).
Further Example Operations and Methods
[0045] Figures 6-12 are flowcharts of operations and methods performed by one or more network nodes (e.g., the application installation and settings controller 102 and the application query controller 108 of the application control system 100) to control operation of an application on a user equipment node (e.g., the application equipment node 120) according to some embodiments.
[0046] Referring to Figure 6, user information is received (block 600) by the network node that identifies a user of the user equipment node 120 and application information that identifies an application that the user has selected for installation on the user equipment node 120. The network node retrieves (block 602) a user profile from among a plurality of user profiles in the user profile repository 106 using the user information to identify the user profile. The user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120. The network node retrieves (block 604) an application profile from among a plurality of application profiles in the application profile repository 104 using the application information to identify the application profile. The application profile indicates resources of the user equipment node 120 that the application will access during operation. The network node generates (block 606) settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node 120. The network node communicates (block 608) the application and the settings configuration information through a data network 150 to the user equipment node 120 for installation of the application and configuration of the permissions that are to be granted to the application during operation.
[0047] Referring to Figure 7, the user equipment node 120 receives (block 700) the application and the settings configuration information, and installs (block 702) the application to enable user initiated operation of the application through a user interface of the user equipment node 120. The user equipment node 120 configures (block 704) permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings
configuration information.
[0048] Some further embodiments are directed to various types of information that can be communicated through an application profile, and to defining how that information can be used to control settings of the corresponding application.
[0049] In one embodiment, the application profile indicates a plurality of modes of operation of the application, where each of the modes of operation has a different group of resources that the application will access. For example, the application profile may indicate first, second, and third modes of operation by the application, where the first mode of operation of the application provides more functionality than the second and third modes of operation of the application, and where the first mode of operation of the application uses a first group of the resources that is a superset that includes second and third groups of the resources used, respectively, by the second and third modes of operation of the application.
[0050] Referring to Figure 8, generation of the settings configuration information can include selecting (block 800) among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile, and can further include generating (block 802) the settings configuration information to indicate that a selected mode of operation which uses a corresponding group of resources is permitted to be granted to the application while operating on the user equipment node 120.
[0051] Generation of the settings configuration information can further include indicating that a non-selected one or more modes of operation using a correspond one or more groups of resources are not permitted to be granted to the application while operating on the user equipment node 120.
[0052] Referring to Figure 9, the system 100 can inform a user when no applications satisfy the criteria defined by the user profile. The method and operation can include determining (block 900) that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile, and communicating (block 902) a message through the data network 150 to the user equipment node 120 informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
[0053] Some further embodiments are directed to various ways that the user profile can be created, and how later changes to the user's profile can cause updated settings configuration information to be generated and communicated to the user equipment node for use in reconfiguring the settings of the corresponding application that installed on the user equipment node.
[0054] Referring to Figure 10, privacy and security preferences information is received (block 1000) from the user through the data network 150, and which indicates the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120. The user profile is generated (block 1002) responsive to the privacy and security preferences information from the user. The user profile is stored (block 1004) in the user profile repository 106 associated with an identifier for the user.
[0055] In a further embodiment, the privacy and security preferences information can be received (block 1000) responsive to the user logging into a subscriber account and initiating generation of the user profile, which can then initiate operations for obtaining the privacy and security preferences information from the user by generation of question prompts that are sent to the user, and responsive answers that are received from the user through the data network 150 and the user equipment node 120 operated by the user. [0056] Referring to Figure 11, updated privacy and security preferences information is received (block 1100) from the user through the data network 150, that indicates changes in the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node 120. An updated user profile is generated (block 1102) responsive to the updated privacy and security preferences information. The updated user profile is stored (block 1104) in the user profile repository 106 associated with the identifier for the user. Updated settings configuration information is generated (block 1106) responsive to the updated user profile and the application profile. The updated settings configuration information is communicated (block 1108) through the data network 150 to the user equipment node 120 to cause the user equipment node 120 to reconfigure the permissions (application settings) that are to be granted to the application during operation.
[0057] Some further embodiments are directed to operations and methods for controlling the application query controller 108 to select between querying the independent application store 160 and the secure application store 110 depending upon the user's profile. Referring to Figure 12, an application query is received (block 1200) that identifies at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node 120. Responsive to the user profile, a selection (block 1202) is made between searching for the candidate applications within the secure application store 110, which contains applications that have corresponding application profiles stored in the application profile repository (104), and the independent application store 160, which contains applications that do not have corresponding application profiles stored in the application profile repository 104. The candidate applications are identified (block 1204) responsive to the at least one keyword and residing in the selected one of the secure application store and the independent application store. The candidate applications are communicated (block 1206) to the user equipment node 120.
[0058] Some further embodiments are directed to corresponding operations and methods by a user equipment node 120 to control operation of applications on a user equipment node 120. Referring to figure 13, an application is received (block 1300) from at least one network node 100 through a data network 150. Settings configuration information is received (block 1302) from the at least one network node 100, where the settings configuration information indicates what permissions are to be granted to the application while operating on the user equipment node 120. The application is installed (block 1304) to enable user initiated operation of the application through a user interface of the user equipment node 120. The permission settings are configured (1306) for the application, responsive to the settings configuration information, to restrict what resources of the user equipment node 120 the application will be allowed to access during operation.
[0059] Although some embodiments are described above in which the user profile is stored at a network node (e.g. the user profile repository 106), in another embodiment the user profile is stored on the user equipment node 120. Referring to Figure 14, the operations and methods include retrieving (block 1400) a user profile that is stored at the user equipment node 120. The user profile indicates the user's preferences for restricting access by applications to resources of the user equipment node 120. The user profile and application information, which identifies the application that the user has selected for installation on the user equipment node 120, is communicated (block 1402) to the at least one network node 100.
Example User Equipment Node
[0060] The user equipment node can be any type of electronic device that can receive applications from a network node via a data network, and can control operation of the application on the user equipment node. User equipment nodes can include, but are not limited to, fixed/mobile/transportable terminals (e.g., smart phones and tablet computers), televisions, gaming consoles, and desktop computers.
[0061] Referring again to Figure 1, the example user equipment node 120 includes a processor circuit 122, memory circuitry/devices 124, and one or more network interfaces 134. The one or more network interfaces 134 can include a cellular transceiver 136, a wired network interface 138, a wireless local area network transceiver 140, a Bluetooth transceiver 140, and/or a near field communication transceiver 140.
[0062] The processor circuit 122 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor). The processor circuit 122 is configured to execute computer program instructions from functional modules in the memory devices 124, described below as a computer readable medium, to perform some or all of the operations and methods that are described above for one or more of the embodiments disclosed herein, such as the embodiments of Figures 1-14. The functional modules can include an application installation module 126, an application settings module 130, applications 128, and user data 132.
[0063] The application installation module 126 is configured to install an application, which is received via the one or more network interfaces 134, for operation on the user equipment node 120 (e.g., execution by the processor 122). The application settings module 130 configures permission settings for the application that restrict what resources of the user equipment node 120 the application will be allowed to access during operation, responsive to the settings configuration information. The applications 128 may include one or more applications that are downloaded from the secure application store 110 and/or the
independent application store 160. The user data 132 may include, for example, contact information (e.g. phonebook), application data, and other information items that may be treated as resources who's access privileges by particular ones of the applications is controlled by the settings configuration information received from the system 100 with the corresponding applications.
[0064] The user equipment node 120 may include a user input interface 142, display device 144, a speaker 146, and/or a microphone 148, one or more of which may be treated as resources who's access privileges by particular ones of the applications is controlled by the settings configuration information received from the system 100 with the corresponding applications.
[0065] Example Network Node:
[0066] Figure 15 is a block diagram of an example network node 1500, which may be used for the application installation in settings controller 102, the application query controller 108, the application profile repository 104, the user profile repository 106, the secure application store 110, and/or the independent application store 160. The network node 1500 can include one or more network interfaces 1530, processor circuitry 1510, and memory circuitry/devices 1520 that contain functional modules 1522. The processor circuitry 1510 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g., microprocessor and/or digital signal processor). The processor circuitry 1510 is configured to execute computer program instructions from the functional modules 1522 in the memory circuitry/devices 1520, described below as a computer readable medium, to perform some or all of the operations and methods that are described above for one or more of the embodiments disclosed herein, such as the embodiments of Figures 1- 14.
[0067] Further Definitions and Embodiments:
[0068] In the above-description of various embodiments of the present invention, it is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense expressly so defined herein.
[0069] When an element is referred to as being "connected", "coupled", "responsive", or variants thereof to another element, it can be directly connected, coupled, or responsive to the other element or intervening elements may be present. In contrast, when an element is referred to as being "directly connected", "directly coupled", "directly responsive", or variants thereof to another element, there are no intervening elements present. Like numbers refer to like elements throughout. Furthermore, "coupled", "connected", "responsive", or variants thereof as used herein may include wirelessly coupled, connected, or responsive. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Well-known functions or constructions may not be described in detail for brevity and/or clarity. The term "and/or" or "/" includes any and all combinations of one or more of the associated listed items.
[0070] As used herein, the terms "comprise", "comprising", "comprises", "include",
"including", "includes", "have", "has", "having", or variants thereof are open-ended, and include one or more stated features, integers, elements, steps, components or functions but does not preclude the presence or addition of one or more other features, integers, elements, steps, components, functions or groups thereof. Furthermore, as used herein, the common abbreviation "e.g.", which derives from the Latin phrase "exempli gratia," may be used to introduce or specify a general example or examples of a previously mentioned item, and is not intended to be limiting of such item. The common abbreviation "i.e.", which derives from the Latin phrase "id est," may be used to specify a particular item from a more general recitation.
[0071] Example embodiments are described herein with reference to block diagrams and/or flowchart illustrations of computer-implemented methods, apparatus (systems and/or devices) and/or computer program products. It is understood that a block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits. These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and/or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions/acts specified in the block diagrams and/or flowchart block or blocks, and thereby create means (functionality) and/or structure for implementing the functions/acts specified in the block diagrams and/or flowchart block(s).
[0072] These computer program instructions may also be stored in a tangible computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer- readable medium produce an article of manufacture including instructions which implement the functions/acts specified in the block diagrams and/or flowchart block or blocks.
[0073] A tangible, non-transitory computer-readable medium may include an electronic, magnetic, optical, electromagnetic, or semiconductor data storage system, apparatus, or device. More specific examples of the non-transitory computer-readable medium would include the following: a portable computer diskette, a random access memory (RAM) circuit, a read-only memory (ROM) circuit, an erasable programmable read-only memory (EPROM or Flash memory) circuit, a portable compact disc read-only memory (CD- ROM), and a portable digital video disc read-only memory (DVD/BlueRay).
[0074] The computer program instructions may also be loaded onto a computer and/or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer and/or other programmable apparatus to produce a computer- implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. Accordingly, embodiments of the present invention may be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.) that runs on a processor such as a digital signal processor, which may collectively be referred to as "circuitry," "a module" or variants thereof.
[0075] It should also be noted that in some alternate implementations, the
functions/acts noted in the blocks may occur out of the order noted in the flowcharts. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Moreover, the functionality of a given block of the flowcharts and/or block diagrams may be separated into multiple blocks and/or the functionality of two or more blocks of the flowcharts and/or block diagrams may be at least partially integrated. Finally, other blocks may be added/inserted between the blocks that are illustrated.
Moreover, although some of the diagrams include arrows on communication paths to show a primary direction of communication, it is to be understood that communication may occur in the opposite direction to the depicted arrows.
[0076] Many different embodiments have been disclosed herein, in connection with the above description and the drawings. It will be understood that it would be unduly repetitious and obfuscating to literally describe and illustrate every combination and subcombination of these embodiments. Accordingly, the present specification, including the drawings, shall be construed to constitute a complete written description of various example combinations and subcombinations of embodiments and of the manner and process of making and using them, and shall support claims to any such combination or subcombination.
[0077] Many variations and modifications can be made to the embodiments without substantially departing from the principles of the present invention. All such variations and modifications are intended to be included herein within the scope of the present invention.

Claims

CLAIMS:
1. A method by at least one network node (100) of an application control system for controlling operation of applications on a user equipment node (120), the method comprising:
receiving (600) user information that identifies a user of the user equipment node (120) and application information that identifies an application that the user has selected for installation on the user equipment node (120);
retrieving (602) a user profile from among a plurality of user profiles in a user profile repository (106) using the user information to identify the user profile, the user profile indicating the user's preferences for restricting access by applications to resources of the user equipment node (120);
retrieving (604) an application profile from among a plurality of application profiles in an application profile repository (104) using the application information to identify the application profile, the application profile indicating resources of the user equipment node (120) that the application will access during operation;
generating (606) settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node (120); and
communicating (608) the application and the settings configuration information through a data network (150) to the user equipment node (120) for installation of the application and configuration of the permissions that are to be granted to the application during operation.
2. The method of Claim 1 , further comprising:
receiving (700) the application and the settings configuration information at the user equipment node (120);
installing (702) the application to enable user initiated operation of the application through a user interface of the user equipment node (120); and
configuring (704) permission settings for the application that restrict what resources of the user equipment node (120) the application will be allowed to access during operation, responsive to the settings configuration information.
3. The method of Claims 1-2, wherein: the application profile indicates a plurality of modes of operation of the application, each of the modes of operation having a different group of resources that the application will access.
4. The method of Claim 3, wherein:
the application profile further indicates first, second, and third modes of operation, the first mode of operation of the application provides more functionality than the second and third modes of operation of the application, and the first mode of operation of the application uses a first group of the resources that is a superset that includes second and third groups of the resources used, respectively, by the second and third modes of operation of the application.
5. The method of Claim 3, wherein generating the settings configuration information, responsive to the user profile and the application profile comprises:
selecting (800) among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile; and generating (802) the settings configuration information to indicate that a selected mode of operation which uses a corresponding group of resources is permitted to be granted to the application while operating on the user equipment node (120).
6. The method of Claim 5, wherein generating (802) the settings configuration information, responsive to the user profile and the application profile further comprises: generating the settings configuration information to indicate that a non-selected one or more modes of operation using a correspond one or more groups of resources are not permitted to be granted to the application while operating on the user equipment node (120).
7. The method of Claim 3, further comprising:
determining (900) that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile; and
communicating (902) a message through the data network (150) to the user equipment node (120) informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
8. The method of Claims 1-7, further comprising:
receiving (1000) privacy and security preferences information, from the user through the data network (150), that indicates the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node (120);
generating (1002) the user profile responsive to the privacy and security preferences information from the user; and
storing (1004) the user profile in the user profile repository (106) associated with an identifier for the user.
9. The method of Claim 8, wherein receiving (1000) privacy and security preferences information, from the user through the data network (150), that indicates the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node (120), comprises:
responding to the user logging into a subscriber account and initiating generation of the user profile, by obtaining the privacy and security preferences information from the user by generating question prompts to the user and receiving responsive answers from the user through the data network (150) and the user equipment node (120) operated by the user.
10. The method of Claim 8, further comprising:
receiving (1100) updated privacy and security preferences information, from the user through the data network (150), that indicates changes in the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node (120);
generating (1102) an updated user profile responsive to the updated privacy and security preferences information;
storing (1104) the updated user profile in the user profile repository (106) associated with the identifier for the user;
generating (1106) updated settings configuration information, responsive to the updated user profile and the application profile; and
communicating (1 108) the updated settings configuration information through the data network (150) to the user equipment node (120) for reconfiguration of the permissions that are to be granted to the application during operation.
1 1. The method of Claims 1-10, further comprising:
receiving (1200) an application query that identifies at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node (120);
responsive to the user profile, selecting (1202) between searching for the candidate applications within a secure application store, which contains applications that have corresponding application profiles stored in the application profile repository (104), and an independent application store, which contains applications that do not have corresponding application profiles stored in the application profile repository (104);
identifying (1204) the candidate applications responsive to the at least one keyword and residing in the selected one of the secure application store and the independent application store; and
communicating (1206) the candidate applications to the user equipment node (120).
12. A method by a user equipment node (120) for controlling operation of applications on the user equipment node (120), the method comprising:
receiving (1300) an application from at least one network node (100) through a data network (150);
receiving (1302) settings configuration information from the at least one network node (100), the settings configuration information indicating what permissions are to be granted to the application while operating on the user equipment node (120);
installing (1304) the application to enable user initiated operation of the application through a user interface of the user equipment node (120); and
configuring (1306) permission settings for the application that restrict what resources of the user equipment node (120) the application will be allowed to access during operation, responsive to the settings configuration information.
13. The method of Claim 12, further comprising:
retrieving (1400) a user profile stored at the user equipment node (120), the user profile indicating the user's preferences for restricting access by applications to resources of the user equipment node (120); and
communicating (1402) the user profile with application information that identifies the application that the user has selected for installation on the user equipment node (120), to the at least one network node (100).
14. At least one network node (100) that controls operation of applications on a user equipment node (120), the at least one network node (100) comprising:
a user profile repository (106) that stores a plurality of user profiles, each of the user profiles indicating a user's preferences for restricting access by applications to resources of a user equipment node (120);
an application profile repository (104) that stores a plurality of application profiles, each of the application profiles indicating resources of a user equipment node (120) that an application will access during operation; and
an application installation and settings controller (102) that:
receives user information that identifies a user of a user equipment node (120) and application information that identifies an application that the user has selected for installation on the user equipment node (120);
retrieves one of the user profiles from among the plurality of user profiles stored at the user profile repository (106) using the user information to identify the user profile;
retrieves one of the application profiles from among the plurality of application profiles stored at the application profile repository (104) using the application information to identify the application profile;
generates settings configuration information, responsive to the user profile and the application profile, that indicates what permissions are to be granted to the application while operating on the user equipment node (120); and
communicates the application and the settings configuration information through a data network (150) to the user equipment node (120) for installation of the application and configuration of the permissions that are to be granted to the application during operation.
15. The at least one network node (100) of Claim 14, wherein:
the application profile indicates a plurality of modes of operation of the application, each of the modes of operation having a different group of resources that the application will access; the application installation and settings controller (102) selects among the modes of operation of the application indicated by the application profile, responsive to the user's preferences indicated by the user profile; and
the application installation and settings controller (102) generates the settings configuration information to indicate that a selected mode of operation having a
corresponding group of resources is permitted to be granted to the application while operating on the user equipment node (120).
16. The at least one network node (100) of Claims 14-15, wherein:
the application installation and settings controller (102) determines that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile, and communicates a message through the data network (150) to the user equipment node (120) informing the user that none of the modes of operation of the application indicated by the application profile satisfy the user's preferences indicated by the user profile in response to the determination.
17. The at least one network node (100) of Claims 14-15, wherein the application installation and settings controller (102) is further configured to:
receive privacy and security preferences information, from the user through the data network (150), that indicates the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node (120);
generate the user profile responsive to the privacy and security preferences information from the user; and
store the user profile in the user profile repository (106) associated with an identifier for the user.
18. The at least one network node ( 100) of Claim 17, wherein:
the application installation and settings controller (102) responds to the user logging into a subscriber account and initiating generation of the user profile, by obtaining the privacy and security preferences information from the user by generating question prompts to the user and receiving responsive answers from the user through the data network (150) and a user equipment node (120) operated by the user.
19. The at least one network node (100) of Claim 17, wherein the application installation and settings controller (102) is further configured to:
receive updated privacy and security preferences information, from the user through the data network (150), that indicates changes in the user's preferences for controlling privacy and security of information that can be accessible to applications during operation on the user equipment node (120);
generate an updated user profile responsive to the updated privacy and security preferences information from the user;
store the updated user profile in the user profile repository (106) associated with the identifier for the user;
generate updated settings configuration information, responsive to the updated user profile and the application profile; and
communicate the updated settings configuration information through the data network (150) to the user equipment node (120) for reconfiguration of the permissions that are to be granted to the application during operation.
20. The at least one network node (100) of Claims 14-19, wherein the application installation and settings controller (102) is further configured to:
receive an application query that identifies at least one keyword that is to be searched to identify candidate applications for the user to download to the user equipment node (120);
respond to the user profile by selecting between searching for applications within a secure application store, which contains applications that have corresponding application profiles stored in the application profile repository (104), and an independent application store, which contains applications that do not have corresponding application profiles stored in the application profile repository (104); identify candidate applications responsive to the at least one keyword in the selected one of the secure application store and the independent application store; and communicate the candidate applications to the user equipment node (120).
PCT/IB2012/001679 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles WO2014033492A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US14/424,097 US10122726B2 (en) 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles
EP12769470.1A EP2891340A1 (en) 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles
PCT/IB2012/001679 WO2014033492A1 (en) 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles
IN1254DEN2015 IN2015DN01254A (en) 2012-08-30 2015-02-16

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2012/001679 WO2014033492A1 (en) 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles

Publications (1)

Publication Number Publication Date
WO2014033492A1 true WO2014033492A1 (en) 2014-03-06

Family

ID=46982643

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2012/001679 WO2014033492A1 (en) 2012-08-30 2012-08-30 Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles

Country Status (4)

Country Link
US (1) US10122726B2 (en)
EP (1) EP2891340A1 (en)
IN (1) IN2015DN01254A (en)
WO (1) WO2014033492A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017137089A1 (en) * 2016-02-12 2017-08-17 Huawei Technologies Duesseldorf Gmbh User equipment profiling for network administration

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105264965B (en) * 2013-11-01 2020-07-07 华为技术有限公司 Method and device for controlling application to access network
US9686237B2 (en) 2014-08-19 2017-06-20 International Business Machines Corporation Secure communication channel using a blade server
US20160057206A1 (en) * 2014-08-19 2016-02-25 International Business Machines Corporation Application profile to configure and manage a software defined environment
US9928371B2 (en) 2014-11-19 2018-03-27 Papal, Inc. Systems and methods for protecting information displayed on a user interface of a device
US9886598B2 (en) * 2014-12-29 2018-02-06 Paypal, Inc. Automatic adjustment of a display to obscure data
US9886246B2 (en) 2015-07-13 2018-02-06 International Business Machines Corporation Dynamically building mobile applications
US9928372B2 (en) 2015-10-23 2018-03-27 Paypal, Inc. Selective screen privacy
WO2017146523A1 (en) * 2016-02-26 2017-08-31 엘지전자 주식회사 Method and user equipment for requesting connection to network
US10949565B2 (en) * 2016-06-10 2021-03-16 OneTrust, LLC Data processing systems for generating and populating a data inventory
US10649752B2 (en) * 2016-09-28 2020-05-12 International Business Machines Corporation Sharing data and applications across computing systems
US10782954B2 (en) * 2016-10-05 2020-09-22 International Business Machines Corporation User defined application interface
US10353686B1 (en) * 2016-12-28 2019-07-16 Facebook, Inc. Application installation system
US20180288616A1 (en) * 2017-03-28 2018-10-04 The Fin Exploration Company Predictive permissioning for mobile devices
US10771269B2 (en) * 2018-03-09 2020-09-08 Cisco Technology, Inc. Automated intelligent node for hybrid fiber-coaxial (HFC) networks
US11853306B2 (en) * 2018-06-03 2023-12-26 Apple Inc. Techniques for personalizing app store recommendations
US11539705B2 (en) 2020-02-14 2022-12-27 The Toronto-Dominion Bank Systems and methods for controlling third-party access of protected data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070004393A1 (en) * 2005-06-29 2007-01-04 Nokia Corporation System and method for automatic application profile and policy creation
US20120072991A1 (en) * 2010-09-22 2012-03-22 Rohyt Belani Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120185912A1 (en) * 2011-01-17 2012-07-19 Samsung Electronics Co., Ltd. System and method for granting authorization of application in wireless communication system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201136429A (en) * 2010-04-08 2011-10-16 Inventec Corp Network storage system for application and method thereof
US20120124028A1 (en) * 2010-11-12 2012-05-17 Microsoft Corporation Unified Application Discovery across Application Stores
US8359016B2 (en) * 2010-11-19 2013-01-22 Mobile Iron, Inc. Management of mobile applications
US9047469B2 (en) * 2011-09-10 2015-06-02 Microsoft Technology Licensing, Llc Modes for applications
US9405723B2 (en) * 2012-05-02 2016-08-02 Kony, Inc. Mobile application management systems and methods thereof
US8832846B2 (en) * 2012-05-11 2014-09-09 Verizon Patent And Licensing Inc. Methods and systems for providing a notification of a compliance level of an application with respect to a privacy profile associated with a user

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070004393A1 (en) * 2005-06-29 2007-01-04 Nokia Corporation System and method for automatic application profile and policy creation
US20120072991A1 (en) * 2010-09-22 2012-03-22 Rohyt Belani Methods and systems for rating privacy risk of applications for smart phones and other mobile platforms
US20120185912A1 (en) * 2011-01-17 2012-07-19 Samsung Electronics Co., Ltd. System and method for granting authorization of application in wireless communication system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017137089A1 (en) * 2016-02-12 2017-08-17 Huawei Technologies Duesseldorf Gmbh User equipment profiling for network administration

Also Published As

Publication number Publication date
US10122726B2 (en) 2018-11-06
EP2891340A1 (en) 2015-07-08
US20150249673A1 (en) 2015-09-03
IN2015DN01254A (en) 2015-06-26

Similar Documents

Publication Publication Date Title
US10122726B2 (en) Methods and apparatus for controlling permissions to be granted to applications on user equipment responsive to user privacy profiles
US9161325B1 (en) Subscriber identity module virtualization
KR102254852B1 (en) apparatus and method for operating of subscriber identification module
US10127403B2 (en) Computing system with privacy control mechanism and method of operation thereof
US11159573B1 (en) Selective regulation of information transmission from mobile applications to third-party privacy compliant target systems
US9898260B2 (en) Adaptive function-based dynamic application extension framework
KR101227707B1 (en) Method and device for controlling use of context information of a user
US8832846B2 (en) Methods and systems for providing a notification of a compliance level of an application with respect to a privacy profile associated with a user
WO2019177818A1 (en) Auto disablement of web browser extensions on defined categories of webpages
US10298617B2 (en) Trust policy for telecommunications device
US20160105371A1 (en) Service method for managing transaction using application properties and system therefor
US20100153568A1 (en) Methods, apparatuses, and computer program products for providing a local proxy for accessing web services
US9817984B2 (en) Providing access to application data
WO2014197125A1 (en) Configuring computing devices using a bootstrap configuration
US9271146B2 (en) Mobile privacy information proxy
US20140165212A1 (en) System and methods thereof for tracking and preventing execution of restricted applications
US9462566B1 (en) System and method for providing limited communication services to unprovisioned mobile communication devices
EP4029298A1 (en) System, method, and computer program for transferring subscriber identity module (sim) information for sim card or esim activation
US10116701B2 (en) Device-type based content management
KR20150078033A (en) Apparatus and method for performing an application
US20220303774A1 (en) Device-based identification for automated user detection
US10757216B1 (en) Group profiles for group item recommendations
US20240303088A1 (en) System Selected Fungible Configurable Attributes For A Compute Instance
EP3329414B1 (en) Computing system with privacy control mechanism and method of operation thereof
WO2024186667A1 (en) System selected fungible configurable attributes for a compute instance

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12769470

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14424097

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE