[go: up one dir, main page]

WO2011114308A1 - Procédé et système d'installation de logiciel de protection du client sur un dispositif mobile - Google Patents

Procédé et système d'installation de logiciel de protection du client sur un dispositif mobile Download PDF

Info

Publication number
WO2011114308A1
WO2011114308A1 PCT/IB2011/051133 IB2011051133W WO2011114308A1 WO 2011114308 A1 WO2011114308 A1 WO 2011114308A1 IB 2011051133 W IB2011051133 W IB 2011051133W WO 2011114308 A1 WO2011114308 A1 WO 2011114308A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
protection software
url
mobile device
msisdn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IB2011/051133
Other languages
English (en)
Inventor
Craig Howard Bregman
Willem Liebrecht Fick
Hayden Paul Schwarz
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ARBALEST Pty Ltd
Original Assignee
ARBALEST Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ARBALEST Pty Ltd filed Critical ARBALEST Pty Ltd
Publication of WO2011114308A1 publication Critical patent/WO2011114308A1/fr
Anticipated expiration legal-status Critical
Priority to ZA2012/08066A priority Critical patent/ZA201208066B/en
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud

Definitions

  • This invention relates to a method of and system for installing client software, and in particular, protection software, on a client's mobile device.
  • the protection software may comprise antivirus, antispam, firewall and risk management components in a single client application.
  • this invention relates to the packaging, delivering, monitoring and subscription auditing of protection software solutions, and related data storage, data loss protection, and recovery services.
  • Symantec has an Endpoint Protection, Mobile Edition, security solution.
  • Endpoint Protection Mobile Edition
  • security solution For convenience, the present invention will be described with particular reference to this security solution, but it should be clear that the present invention is by no means limited to this particular security solution.
  • Symantec's mobile security solution extends beyond antivirus to address new attack vectors such as "snoopware” (a Symantec term for mobile spyware), which remotely places a phone into diagnostic mode then activates the microphone to monitor conversations, and "pranking4profit", in which an attack results in theft by accessing premium mobile SMS payments.
  • Symantec's Mobile Endpoint Security Suite software leverages Mobile Device Management Systems (MDMs) from vendors to roll out its installation package, send down new configurations, and collect log events if an administrator chooses to do so. This also enables companies to conduct loss mitigation techniques such as 'wipe and kill' to protect any proprietary information on lost or stolen phones.
  • MDMs Mobile Device Management Systems
  • Symantec's Endpoint Protection Mobile Edition provides integrated security and management capabilities for today's mobile devices. Today, many mobile devices contain confidential and sensitive data. Thus, the need to manage and secure these devices is critical.
  • the Symantec Endpoint Protection, Mobile Edition client software is installed on the mobile devices to be protected. It includes antivirus, antispam, firewall, and risk management in a single client.
  • Symantec Management Platform (SMP) is installed on an administrator's computer. Mobile security policies are managed in the Symantec Management Console, as well as mobile security reports and notifications.
  • the Symantec Mobile Security Solution is the mobile security management plug-in to the platform.
  • the solution includes mobile security policies, reports, notifications, and risk management.
  • Symantec Network Access Control, Mobile Edition is available separately, with this product providing Host Integrity checks to make sure that the security software on the mobile devices complies with an organization's security policies.
  • the Symantec Network Access Control, Mobile Edition also protects an organisation's network against connections by any device that does not comply with defined security policies. Network Access Control uses a series of Host Integrity checks to verify that your devices are compliant. If the checks indicate noncompliance, you can deny access to your network.
  • Symantec Management Platform includes the following components:
  • Notification Server which is the platform service that provides event processing, communication, and coordination with other platform services.
  • CMDB Configuration Management Database
  • Symantec Management Console which is a web-based user interface that allows management of the mobile security products.
  • Symantec Management Platform and the Symantec Mobile Security Solution is first installed.
  • the download site contains the client installers and an agent installation file.
  • An agent installation file is created by using a Symantec Mobile Security Agent policy page in the Symantec Management Console. This file contains the settings to establish communication between the device and the Notification Server computer.
  • Symantec Endpoint Protection Mobile Edition protects an organization's network and the devices that connect to it by providing antivirus protection and a firewall. Antivirus protection provides real-time scanning of files as users access them on their devices. It also provides scheduled scans, on-demand scans, and repair options. Symantec's Endpoint Protection, Mobile Edition also helps to mitigate the risks to an organisation's data if a device is lost or stolen. In particular, a list of sensitive files that were accessed on a lost or stolen device may then be retrieved.
  • the Symantec Endpoint Protection, Mobile Edition client software includes the Symantec Mobile Security Agent.
  • the agent communicates with the server to perform the following actions:
  • a method of installing client protection software on a mobile device comprising: receiving a service request from a client; directing the client to a URL, with the client then executing the URL through the device's default browser; determining the mobile device's details; receiving confirmation from the user that the mobile device's details determined in the previous step are correct; pushing an installation package to the mobile device, the installation package comprising the protection software, a configuration file and an installer application that manages the installation process; requesting client authorisation to install the protection software and prompting the client to enter the MSISDN ("Mobile Subscriber Integrated Services Digital Network Number) for the device; installing the configuration file, which commences the installation of the protection software; and installing the protection software on the device.
  • MSISDN Mobile Subscriber Integrated Services Digital Network Number
  • the step of directing a client to a URL comprises the steps of compiling a text message containing a URL and then sending the text message with the URL to the client's mobile device.
  • the step of directing a client to a URL comprises the step of directing a client from a web interface to the URL.
  • the URL sent to the client's mobile device comprises a code that is unique for the device's MSISDN, so as to define a unique URL, with the method comprising the step of disabling the unique URL.
  • the method comprises the steps of sending the MSISDN and the device's IMEI (International Mobile Equipment Identity) to a billing server, the billing server confirming the MSISDN and linking the MSISDN and IMEI.
  • the step of installing the protection software on the device includes the step of connecting to a managing server to assign a license and provide configurations for the device.
  • the method includes the step of the billing server reconciling with the managing server to confirm the successful installation of the protection software on the device, and to confirm the validity of the client by matching the IMEI on the billing server with the IMEI on the managing server.
  • the method includes the step of maintaining the device on the managing server and the billing server.
  • the method includes the step of the billing server initiating a first billing for the client, typically via an external billing entity.
  • a system of installing client protection software on a mobile device comprising: means to receive a service request from a client; means to direct the client to a URL, with the client then executing the URL through the device's default browser; means to determine the mobile device's details; means to receive confirmation from the user that the mobile device's details are correct; means to push an installation package to the mobile device, the installation package comprising the protection software, a configuration file and an installer application that manages the installation process; means to request client authorisation to install the protection software and to prompt the client to enter the MSISDN ("Mobile Subscriber Integrated Services Digital Network Number) for the device; and installation means to install the configuration file, which commences the installation of the protection software, and the protection software on the device.
  • MSISDN Mobile Subscriber Integrated Services Digital Network Number
  • a system for installing client protection software on a mobile device comprising: a communications server arranged to: receive a service request from a client; direct the client to a URL, with the client then executing the URL through the device's default browser; determine the mobile device's details; receive confirmation from the user that the mobile device's details determined in the previous step are correct; push an installation package to the mobile device, the installation package comprising the protection software, a configuration file and an installer application that manages the installation process; request client authorisation to install the protection software and to prompt the client to enter the MSISDN ("Mobile Subscriber Integrated Services Digital Network Number) for the device; install the configuration file, which commences the installation of the protection software; and install the protection software on the device.
  • MSISDN Mobile Subscriber Integrated Services Digital Network Number
  • the system comprises a billing server that, during the installation process, and typically in response to the client entering the MSISDN for the device, receives the MSISDN and the device's IMEI (International Mobile Equipment Identity), the billing server confirming the MSISDN and linking the MSISDN and IMEI.
  • IMEI International Mobile Equipment Identity
  • the system comprises a managing server to assign a license and provide configurations for the device.
  • the managing server is further arranged to reconcile with the billing server to confirm the successful installation of the protection software on the device, and to confirm the validity of the client by matching the IMEI on the billing server with the IMEI on the managing server.
  • Figure 1 shows a schematic flow diagram of a method of installing client protection software on a mobile device, according to a first embodiment of the present invention
  • Figure 2 shows a schematic block diagram of a system for installing client protection software on a mobile device, according to a second embodiment of the present invention
  • Figure 3 shows a matrix that combines the primary method steps of
  • Figure 4 shows a sample report of a Device Record for the purposes of real-time reporting.
  • the method 10 comprises receiving a service request from the client, as indicated by block 12 in Figures 1 and 2.
  • the client 54 is represented by layer 14 in Figure 1 , a central communications server 56 in Figures 2 and 3 by layer 16 in Figure 1 , and a mobile service provider by layer 18.
  • the client 54 thus typically registers a request for the service of the present invention, typically by sending an SMS text message with pre-defined content, such as "AV" as shown in Figure 2, or typically any other alphanumeric sequence, to a unique mobile number.
  • This request for service may also be submitted in any number of other known ways, such as via a website, or as a request from a Service Provider or an Organisation.
  • a registration API (Application Programming Interface) receives the request for service, as indicated by block 20.
  • a text message containing a URL may be compiled by the communications server 56, as indicated by block 22 in Figures 1 and 2, with the text message then being sent to the client, as indicated by arrow 23 in Figure 2.
  • the URL sent to the client's mobile device is unique, with the URL sent to the client's mobile device 52 comprising a code that is unique for the device's MSISDN, so as to define the unique URL.
  • the method 10 further comprises the step of deactivating/disabling the unique URL down the line, as indicated by block 24 in Figure 2, the aim of which is to prevent license sharing.
  • the client may simply be directed from his/her web interface to the URL.
  • the client then executes the URL through the device's default browser, as indicated by block 26 in Figure 1 .
  • the method 10 then includes the step of determining the mobile device's details, as indicated by block 28 in Figure 1 .
  • This is typically achieved by the executed URL interrogating the devices' UAProf (User Agent Profile) so as to determine the type and operating system of the mobile device.
  • UAProf User Agent Profile
  • the UAProf specification is concerned with capturing capability and preference information for wireless devices. This information can be used by content providers to produce content in an appropriate format for the specific device.
  • a UAProf file describes the capabilities of a mobile handset, including Vendor, Model, Screensize, Multimedia Capabilities, Character Set support, and more.
  • the present invention in one embodiment, using open source software WURFL (idosl.sourcefourge.net) which is a popular method of accessing the above.
  • WURFL open source software
  • the information obtained includes the device's 52 brand, model, operating system name and version, software platform name and version, screen size, and WAP capabilities.
  • the method 10 then comprises receiving confirmation from the client 54 that the mobile device's 52 details determined in the previous step are correct. This is indicated by block 30 in Figure 1 .
  • An installation package 58 is then pushed to the mobile device 52, as indicated by block 32 in Figures 1 and 2.
  • the installation package 58 comprises the protection software 60 itself, a configuration file 62 and an installer application 64 that manages the installation process.
  • the protection software 60 corresponds to the Symantec product described above (i.e. the Endpoint Protection, Mobile Edition product described above), and the configuration file 62 is an XML configuration file, the format and content of which is defined by Symantec.
  • the purpose of the configuration file 62 is to provide the details and pre-shared security details required by the protection software to connect to a managing server (reference numeral 66 in Figures 2 and 3).
  • the managing server 66 corresponds substantially to the Symantec Management Platform described above.
  • the installer application 64 is responsible for:
  • the method 10 then comprises requesting client authorisation to install the protection software 60 and prompting the client to enter the MSISDN ("Mobile Subscriber Integrated Services Digital Network Number) for the device 52, as indicated by block/s 34 in Figures 1 and 2.
  • the installation procedure is invoked by the client 54 and typically triggers the validation of the installation via an application connecting to the billing server 68.
  • the method comprises the steps of sending the MSISDN and the device's IMEI (International Mobile Equipment Identity) to the billing server 68, as indicated by block 36 in Figures 1 and 2.
  • the billing server 68 then confirms the MSISDN and links the MSISDN and IMEI, as indicated by block 38 in Figures 1 and 2.
  • the MSISDN is a number that uniquely identifies a subscription in a GSM or UMTS mobile network. Simply put, it is the telephone number to the SIM card in a mobile/cellular phone. The MSISDN is used to route calls to the subscriber.
  • the IMEI is a number unique to every GSM, WCDMA, and iDEN mobile phone, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone and can be retrieved on any mobile device by dialing * #06#. The IMEI number is used by the GSM network to identify valid devices and therefore can be used to stop a stolen phone from accessing the network in that country.
  • the xml configuration file 62 is then loaded, which commences the installation of the protection software 60, with the protection software 60 then being installed on the device 52.
  • the device 52 connects to the managing server 66, which then assigns a license and provides configurations for the device 52. This is indicated by blocks 41 in Figure 2. Part of this process includes the linking of the device's MSISDN and IMEI on the managing server 66. As described above, the managing server 66 corresponds with Symantec's SMP server and, amongst other things, provides the management of the protection software 60 (e.g. policy updates, virus definition updates etc,).
  • the method 10 includes the step of the billing server 68 reconciling with the managing server 66 to confirm the successful installation of the protection software 60 on the device 52. Part of this process is to confirm the validity of the client 54 by matching the IMEI on the billing server 68 with the IMEI on the managing server 66, as indicated by block 42 in Figure 1 and 2.
  • the method 10 includes the step of maintaining the device 52 on the managing server 66 and the billing server 68.
  • the method 10 includes the step of the billing server 68 initiating a first billing for the client 54, typically via an external billing entity 70.
  • the managing server 66 and billing server 68 are linked, so that information drawn from both servers may be consolidated into what may be termed a Device Record containing all the details necessary for the purposes of real-time reporting.
  • This reporting may be made available to a Service Provider to whom the client 54, and thus by extension his/her device 52, is contracted or subscribed.
  • the reporting provides details related to Device Status, Billing Status and Activity Status, each of which will be briefly described below.
  • a detailed device identity may be created, including:
  • the Billing Server 68 is populated with information fed from the Managing Server 66.
  • Service Provider billing policies may be defined and activated, with separate Service Provider user bases being defined, analysed and reported on.
  • the sample report shown in Figure 4 shows how the above information may be consolidated and presented.
  • the benefits of this additional service solution complement the first leg of the total solution described above, namely the over the air (OTA) deployment of protection software.
  • the service solution benefits include:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Dans un premier aspect, l'invention concerne un procédé d'installation d'un logiciel de protection du client sur un dispositif mobile, le procédé consistant à recevoir du client une demande de service, à orienter le client vers un URL, le client exécutant alors l'URL par le biais du navigateur par défaut du dispositif, à déterminer les détails du dispositif mobile, à recevoir confirmation de l'utilisateur, à savoir que lesdits détails déterminés lors de l'étape précédente sont corrects, à pousser un ensemble d'installation vers le dispositif mobile, ledit ensemble d'installation comprenant le logiciel de protection, un ficher de configuration et une application d'installation qui gère le processus d'installation, à demander l'autorisation au client d'installer le logiciel de protection et à inviter le client à entrer le numéro MSISDN (numéro RNIS d'abonné mobile) pour le dispositif, à installer le fichier de configuration, qui commence l'installation du logiciel de protection, et à installer le logiciel de protection sur le dispositif.
PCT/IB2011/051133 2010-03-18 2011-03-18 Procédé et système d'installation de logiciel de protection du client sur un dispositif mobile Ceased WO2011114308A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
ZA2012/08066A ZA201208066B (en) 2010-03-18 2012-10-25 Method of and system for installing client protection software on a mobile device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA2010/01939 2010-03-18
ZA201001939 2010-03-18

Publications (1)

Publication Number Publication Date
WO2011114308A1 true WO2011114308A1 (fr) 2011-09-22

Family

ID=44281016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2011/051133 Ceased WO2011114308A1 (fr) 2010-03-18 2011-03-18 Procédé et système d'installation de logiciel de protection du client sur un dispositif mobile

Country Status (2)

Country Link
WO (1) WO2011114308A1 (fr)
ZA (1) ZA201208066B (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200175A (zh) * 2013-02-25 2013-07-10 捷德(中国)信息科技有限公司 一种应用在移动设备上安全安装方法及装置
DE102012010559A1 (de) * 2012-05-29 2013-12-05 Top.Conduct Gmbh Authentifizierungssystem und -verfahren zur einfachsten Übertragung von Anwendungsprogrammen und Zugangsberechtigungsdaten für online zur Verfügung gestellte Angebote zwischen unterschiedlichen mobilen Geräten zur Online-Nutzung

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008132670A1 (fr) * 2007-04-25 2008-11-06 Fireflight (Pty) Ltd Procédé et système pour installer une application logicielle sur un dispositif informatique mobile
US20090199176A1 (en) * 2008-02-06 2009-08-06 Badri Nath System and method to securely load a management client from a stub client to facilitate remote device management
WO2010119428A1 (fr) * 2009-04-16 2010-10-21 Fireid (Proprietary) Limited Procédé et système d'installation et de gestion de multiples applications logicielles sur un dispositif informatique mobile

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008132670A1 (fr) * 2007-04-25 2008-11-06 Fireflight (Pty) Ltd Procédé et système pour installer une application logicielle sur un dispositif informatique mobile
US20090199176A1 (en) * 2008-02-06 2009-08-06 Badri Nath System and method to securely load a management client from a stub client to facilitate remote device management
WO2010119428A1 (fr) * 2009-04-16 2010-10-21 Fireid (Proprietary) Limited Procédé et système d'installation et de gestion de multiples applications logicielles sur un dispositif informatique mobile

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102012010559A1 (de) * 2012-05-29 2013-12-05 Top.Conduct Gmbh Authentifizierungssystem und -verfahren zur einfachsten Übertragung von Anwendungsprogrammen und Zugangsberechtigungsdaten für online zur Verfügung gestellte Angebote zwischen unterschiedlichen mobilen Geräten zur Online-Nutzung
CN103200175A (zh) * 2013-02-25 2013-07-10 捷德(中国)信息科技有限公司 一种应用在移动设备上安全安装方法及装置
CN103200175B (zh) * 2013-02-25 2015-08-26 捷德(中国)信息科技有限公司 一种应用在移动设备上安全安装方法及装置

Also Published As

Publication number Publication date
ZA201208066B (en) 2013-06-26

Similar Documents

Publication Publication Date Title
EP1897074B1 (fr) Appareil et procédés de detection et gestion d'instructions executables non autorisées sur un dispositif sans fil
US20220174494A1 (en) Determining a security state based on communication with an authenticity server
CN109460660B (zh) 一种移动设备安全管理系统
US8732827B1 (en) Smartphone security system
US8874082B2 (en) Apparatus and methods for protecting data on a wireless device
US8005468B2 (en) Personalization, diagnostics and terminal management for mobile devices in a network
US8577334B1 (en) Restricted testing access for electronic device
KR101124069B1 (ko) 사용자로의 콘텐츠 바인딩
CN103716785B (zh) 一种移动互联网安全服务系统
US20120270523A1 (en) System and method for controlling mobile device access to a network
CN104462961A (zh) 移动终端及其隐私权限优化方法
CN104298916A (zh) 应用程序管理方法、应用程序管理系统与使用者装置
CN101557584A (zh) 一种实现移动终端应用权限控制的方法及装置
CN1732674A (zh) 用于通信设备接入的分布式授权系统和方法
WO2011114308A1 (fr) Procédé et système d'installation de logiciel de protection du client sur un dispositif mobile
WO2024109270A1 (fr) Procédé et appareil de traitement de message court, dispositif et support de stockage lisible
Sohr et al. Software security aspects of Java-based mobile phones
CN116249095A (zh) 一种页面显示方法及相关设备
O’Connor Attack surface analysis of Blackberry devices
Kazmi et al. TASAM-Towards the Smart Devices App-Stores Applications Security Management Related Best Practices
KR20130048691A (ko) 정책 제어 기능 제공 방법 및 eUICC
KR20080029123A (ko) 표준 사용자 프로파일 생성 장치 및 방법
CN104899069A (zh) 一种应用软件管理系统
HK1134709A (en) Apparatus and methods for detection and management of unauthorized executable instructions on a wireless device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11717751

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11717751

Country of ref document: EP

Kind code of ref document: A1