WO2004062243A2 - System and method for distributed authorization for access to communications device - Google Patents

System and method for distributed authorization for access to communications device Download PDF

Info

Publication number
WO2004062243A2
WO2004062243A2 PCT/US2003/040125 US0340125W WO2004062243A2 WO 2004062243 A2 WO2004062243 A2 WO 2004062243A2 US 0340125 W US0340125 W US 0340125W WO 2004062243 A2 WO2004062243 A2 WO 2004062243A2
Authority
WO
WIPO (PCT)
Prior art keywords
information
application
access
authorization
specific data
Prior art date
Application number
PCT/US2003/040125
Other languages
French (fr)
Other versions
WO2004062243A3 (en
Inventor
Wei-Hsing Lee
Jyh-Han Lin
Ronald R. Smith
Original Assignee
Motorola, Inc, A Corporation Of The State Of Delaware
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola, Inc, A Corporation Of The State Of Delaware filed Critical Motorola, Inc, A Corporation Of The State Of Delaware
Priority to EP03814848A priority Critical patent/EP1582053A4/en
Priority to JP2004565539A priority patent/JP2006514763A/en
Priority to AU2003297229A priority patent/AU2003297229A1/en
Publication of WO2004062243A2 publication Critical patent/WO2004062243A2/en
Publication of WO2004062243A3 publication Critical patent/WO2004062243A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier

Definitions

  • the invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
  • onboard applications such as phone book, hardware identifiers or other data on a cellular telephone or other device
  • cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
  • OAP Over-the-air programming
  • Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information.
  • IMEI International Mobile Equipment Identity
  • SJJVI subscriber identity module
  • NAM number assignment module
  • MSN mobile identification number
  • ESN electronic serial number
  • Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
  • While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
  • APIs application programming interfaces
  • the invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications.
  • an authorization process may be initiated via a remote server or other resource.
  • the communications device may present an API to internally executing programs through which all requests for sensitive data may be made.
  • the API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication.
  • authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
  • FIG. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
  • Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
  • FIG. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
  • FIG. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
  • Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate.
  • a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102.
  • Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices.
  • PDA personal digital assistant
  • PJVI personal information manager
  • Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information.
  • Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
  • EPROM electronically programmable memory
  • the communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code.
  • application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service.
  • application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments.
  • MJDP Java mobile information device profile
  • application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
  • the application 104 may interact with an application programming interface
  • Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks.
  • application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources.
  • Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110.
  • Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
  • application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
  • application programming interface 106 may communicate with authorization server 118 to authorize that access request 114.
  • application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces.
  • Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
  • Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER 2 ... APP JDENTIFIER N , N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID”, "contactlist.c", "positiontrack.exe” or other names or indicia.
  • Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
  • authorization server 118 may transmit an authorization message 122 to communications device 102.
  • the authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110.
  • the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110.
  • Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible.
  • the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times.
  • authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
  • the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
  • the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110.
  • the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action.
  • denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
  • step 402 application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level.
  • step 404 the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface.
  • SSL secure socket layer
  • HTTPS hyper text transfer protocol secure
  • the request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
  • the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102.
  • the authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken.
  • the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access.
  • the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106.
  • the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
  • communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise.
  • Communications device 102 may conversely contain or operate on other or multiple supervisory layers.
  • Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources.
  • the scope of the invention is accordingly intended to be limited only by the following claims.

Abstract

According to the invention cellular telephones or other communications devices (102) may intercept requests (114) by applications (104), for instance applications received via over-the-air programming (OAP), to access sensitive device-specific data (110). That device-specific data (110) may include hardware identifiers such as IMEI or other serial or subscriber identification values, personalized settings such as phone books, contact lists, messaging or other information. The requests (114) by applications (104) for access to that type of data may be intercepted, for instance, by an application programming interface (106) executing on the communications device (102). The application programming interface (106) may communication the request (114), along with information identifying the requesting application, to a remote authorization server (118). The facility may compare the application identifier or other information against a list or table of applications authorized (120) to access device-specific data (110). A grant, denial, deferral or other determination may be communicated back to the device, to permit or deny access accordingly. The routing of requests (114) for such data to a remote host server (118) may, for example, prevent the accessing or corruption of sensitive data by viruses, rogue applications or other types of wireless intrusions.

Description

SYSTEM AND METHOD FOR DISTRD3UTED AUTHORIZATION FOR ACCESS TO COMMUNICATIONS DEVICE
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] The subject matter of this application is related to the subject matter of
U.S. Application Docket No. CM03699J entitled "System and Method for Distributed Authorization and Deployment of Over the Air Provisioning For a Communications Device" filed on the same day as this application, having the same inventors as this application, assigned or under obligation of assignment to the same entity as this application, and which application is incorporated be reference herein, assigned to Motorola, Inc.
FIELD OF THE INVENTION
[0002] The invention relates to the field of communications, and more particularly to a distributed authorization system in which access to data on a mobile unit by onboard applications, such as phone book, hardware identifiers or other data on a cellular telephone or other device, may be regulated by an authorization process performed on a remote server or other resource.
BACKGROUND OF THE INVENTION 003] Many cellular telephones and other communications devices are now programmable in a variety of ways. For instance, many cellular telephones contain editable phone books to permit convenient storage and dialing of frequently-used or important numbers. Other cellular telephones or other devices have Web browsing, file sharing and other enhanced functionality, whether via graphical user interface, voice commands or other interfaces. Moreover, cellular telephones are becoming available which include integrated positioning capability, such as the ability to track, record and communicate handset position via GPS or other location service. Other services are being and will be deployed. Over-the-air programming (OAP) standards such as those employing the Java programming language have enhanced the delivery of such services, on an on-demand or other basis.
4] However, there are risks associated with the heightened programmability of cellular telephones and other devices. Handsets and other devices may have the storage capacity and intelligence to store a variety of sensitive or personal information, such as a handset's International Mobile Equipment Identity (IMEI) data, a subscriber identity module (SJJVI) ID or other related data, number assignment module (NAM) data, mobile identification number (MLN) data, electronic serial number (ESN) data, phone books, position tracking or other information. Devices which may accept Java or other over-the-air code could be presented with security risks due to malicious code such as viruses, disguised games or ring tones, or other code or data. Once a malicious process has invaded the device, the user's sensitive hardware, phone book, positioning or other data could be exposed and compromised.
] While user-facing security measures may be incorporated, such as requiring passwords on a handset interface before permitting access to hardware, phone book or other data, over-the-air and other threats may continue to test the integrity of the mobile device and its data, including by way of low-level code which insinuates into the device at comparatively low levels, such as application programming interfaces (APIs) and other open ports or interfaces. Better core level security on communications devices is desirable. Other problems exist.
SUMMARY OF THE INVENTION
[0006] The invention overcoming these and other problems in the art relates in one regard to a system and method for distributed authorization for access to a communications device, in which a cellular handset of other communications device may be equipped to receive requests for sensitive onboard data by Java or other applications. Instead of attempting to locally authenticate a user or process for access to a given level of data within the device itself, according to the invention an authorization process may be initiated via a remote server or other resource. In embodiments, the communications device may present an API to internally executing programs through which all requests for sensitive data may be made. The API may communicate those requests, for instance, via an over-the-air interface to a remote support server for authentication. In embodiments, authentication may be made against a permission access list, enumerating valid programs or processes which have access rights to requested levels of data. When a request is validated, permission may be returned to the communications device to permit the requesting code to obtain the desired data.
BRIEF DESCRIPTION OF THE DRAWINGS
[0007] The invention will be described with reference to the accompanying drawings, in which like elements are referenced with like numbers, and in which: [0008] Fig. 1 illustrates a distributed authorization architecture, according to an embodiment of the invention.
[0009] Fig. 2 illustrates an illustrative table for storing authorization parameters, according to an embodiment of the invention.
[0010] Fig. 3 illustrates a user interface on a communications device displaying an authorization notification, according to an embodiment of the invention.
[0011] Fig. 4 illustrates a flowchart of authorization processing, according to an embodiment of the invention.
DETAILED DESCRIPTION OF EMBODIMENTS
[0012] Fig. 1 illustrates a distributed authorization architecture in which an embodiment of the invention may operate. As illustrated in that figure, a communications device 102 may wirelessly communicate with an authorization server 118 to initiate and validate requests for access to device-specific data 110 made by applications running on communications device 102. Communications device 102 may be or include, for instance, a cellular telephone, a network-enabled wireless device such as a personal digital assistant (PDA) or personal information manager (PJVI) equipped with an IEEE 802.11b or other wireless interface, a laptop or other portable computer equipped with an 802.11b or other wireless interface, or other communications or client devices. Communications device 102 may communicate with authorization server 118 via antenna 112, for instance in the 800/900 MHz, 1.9 GHz, 2.4 GHz or other frequency bands, or by optical or other links. [0013] Device-specific data 110 may be or include, for instance, LMEI data, data from a SIM, chip-level data, phone books or contact lists or other personalized user settings, position tracking, electronic wallet, scheduling, cellular service or other billing, messaging such as short message service (SMS) or other text or other messaging, or other hardware-related, user-based or other information. Device- specific data 110 may be stored in communications device 102, for instance, in electronically programmable memory (EPROM), flash cards, or other electronic, optical or other media.
[0014] The communications device 102 may execute one or more application 104, for instance a Java application, which in embodiments may include a Java Micro Edition t application, C or C++ or other program or code. In embodiments application 104 may be or include, for instance, a contact scheduler application, a phone book application, a Web browsing application, a financial application, a personal information manager (PLM) application, or other application or service. In embodiments, application 104 may conform to or be implemented using the Java mobile information device profile (MJDP) standard, which applications may be referred to as MIDlets, or other languages or environments. In embodiments, application 104 may be received over the air via antenna 112, or received or stored from other sources, such as a cable- connected download.
[0015] The application 104 may interact with an application programming interface
106, which in turn communicates with authorization server 118 and with native layer 108 executing on communications device 102. Application programming interface 106 may present a programming interface to application 104 to mediate requests to the set of device-specific data 110 on communications device 102 and perform other tasks. In embodiments, application programming interface 106 may present application-accessible interfaces to data or object classes such as, for instance, network, user interface, data attributes and data content, and other resources. Native layer 108 may in embodiments operate at a comparatively low level in communications device 102, and act on requests passed by application programming interface 106 for device-specific data 110. Native layer 108 may for example in embodiments perform supervisory, file and memory management, and other tasks.
[0016] When application 104 presents an access request 114 for device-specific data
110, to ensure the integrity of that data and prevent unauthorized or malicious access to that information, application programming interface 106 may trap that access request 114 at the system level for offboard processing, before permitting any of device-specific data 110 to be released.
[0017] Specifically, when application programming interface 106 receives an access request 114 from application 104 for device-specific data 110, application programming interface 106 may communicate with authorization server 118 to authorize that access request 114. Application programming interface 106 may communicate with the authorization server 118 via server antenna 116, or other wireless or wired interfaces. Application programming interface 106 may transmit access request 114 containing, for instance, the type of data requested from the set of device-specific data 110, the name or other identifying information for application 104, access parameters such as time of last access, passwords if requested, or other data related to the access request 114 for part or all of device-specific data 110 to authorization server 118.
[0018] Authorization server 118 may maintain a set of authorization parameters 120 against which to process the access request 114 for access to device-specific data 110. As illustrated in Fig. 2, for example, authorization parameters 120 may be maintained in authorization table 124, which may be stored in or accessed by authorization server 118. Authorization table 124 may contain a set of application identifiers 126 (APP IDENTIFIER!, APP IDENTIFIER2 ... APP JDENTIFIERN, N arbitrary), which identifiers may in embodiments include a list application names or other identifiers, such as "phonebook.MID", "contactlist.c", "positiontrack.exe" or other names or indicia. Authorization table 124 may likewise contain a set of associated access levels 128, correlated by application name or other indicia, which may indicate whether a given application 104 may be permitted to access device-specific data 110, and in embodiments at which levels or with what privileges (e.g., read, edit, or other) that access may be granted.
[0019] When the pending access request 114 by application 104 is validated against the authorization parameters 120 by authorization server 118, authorization server 118 may transmit an authorization message 122 to communications device 102. The authorization message 122 may contain, for instance, a code, flag or other indication that application 104 may access device-specific data 110. In embodiments, the authorization message 122 may contain additional fields or variables by which access to device-specific data 110 may be regulated, for instance a privilege field or flag which indicates whether application 104 may have the right to read, to modify, erase or perform other actions on device-specific data 110. Authorization message 122 may likewise contain a timeout field which sets a period of time in which application 104 may access the desired data, but after which authorization may expire. Other security variables are possible. In embodiments, for example, the authorization may be granted for a single application 104, or for more than one application, or for different applications at different times. In embodiments, authorization to access device- specific data 110 reflected in authorization message 122 may be made at differing levels for different parts of that data, depending on the sensitivity of the data, the nature of the application 104 making the access request 114, and other factors.
[0020] When the communications device 102 receives authorization message 122 and the desired access is granted, the application programming interface 106 may pass the access request 114 to native layer 108 may retrieve the requested data from device- specific data 110. Native layer 108 may then communicate the retrieved device- specific data 110 and pass that data to application programming interface 106 to be delivered to application 104. Application 104 may then receive and read the requested part or whole of device-specific data 110, to operate on or modify that data. In embodiments, application 104 may also receive authorization to store modified data into device-specific data 110, to transmit the device-specific data 110 over the air interface of antenna 112, or take other action, depending on the type or level of authorization received, network security and other parameters.
[0021] When the authorization server 118 is unable to authorize the access request
114 against authorization parameters 120, the authorization message 122 may contain a deny flag or other indicator that application 104 may not access part or any of device-specific data 110. In this case, as illustrated in Fig. 3, in embodiments the communications device 102 may notify the user that an application or service has been denied access to device-specific or sensitive information. As illustrated, that notification may be by way for instance of a pop-up message 132 presented on a text or graphical user interface 130 as shown, by a verbal message or otherwise. This notification may, for instance, assist the user in deciding to run an anti-virus or other utility on communications device 102, or take other action. In embodiments, denial of access to device-specific data 110 may trigger an automatic logging of application 104, automatic transmission of an anti-virus or other utility to communications device 102, or other action.
[0022] Overall processing of distributed authorization for a communications device according to an embodiment of the invention is illustrated in Fig. 4. In step 402, application 104 may request one or more parts of device-specific data 110 from the communications device 102 via application programming interface 106 and native layer 108, at the API or other level. In step 404, the access request 114 may be transmitted to the authorization server 118, for instance via an over-the-air protocol, which for example may be communicated using a secure or other protocol such as secure socket layer (SSL), hyper text transfer protocol secure (HTTPS) or other protocol or interface. The request may, in embodiments, encapsulate data such as the name or other identifier of application 104, the type of data in device-specific data 110 being requested, and other information.
[0023] In step 406, the authorization server 118 may check the access request 114 by application 104 against authorization parameters 120 or other security fields or templates, make an authorization determination and communicate an authorization message 122 to communications device 102. The authorization message 122 may contain an indication that the access request 114 is granted, denied, deferred, that further information will be required, or that other action may be taken. In step 408, upon receipt of a grant decision from authorization server 118, the native layer 108 may read out the one or more parts of device-specific data 110 which application 104 has been authorized to access. In step 410, the native layer 108 may communicate the one or more parts of device-specific data 110 which application 104 has been authorized to access to application programming interface 106. In step 412, the application programming interface 106 may communicate the requested device- specific data 110 to the application 104. Processing may then repeat, return to an earlier point, continue to further processing or terminate.
[0024] The foregoing description of the system and method for distributed authorization for access to a communications device according to the invention is illustrative, and variations in configuration and implementation will occur to persons skilled in the art. For instance, while the invention has generally been described as being implemented in terms of a single authorization server 118, in embodiments one or more servers or other resources may be deployed. Similarly, while the invention has generally been described as testing for authorization against one set of authorization parameters 120, in embodiments the security data against which requests may be authorized may consist of multiple local or remote data stores.
[0025] Likewise, while the invention has been generally described in terms of a communications device 102 having an intermediary native layer 108, in embodiments the communications device 102 may operate without that type of local layer, for instance with some functionality distributed to authorization server 118 or otherwise. Communications device 102 may conversely contain or operate on other or multiple supervisory layers. Other hardware, software or other resources described as singular may be implemented in multiple or distributed resources, while other hardware, software or other resources described as distributed may likewise be implemented as integrated resources. The scope of the invention is accordingly intended to be limited only by the following claims.

Claims

CLAIMSWe claim:
1. A system for processing requests to access to data on a communications device, comprising:
device-specific data;
at least one application, the at least one application generating a request for access to the device-specific data;
an interface to a remote authorization facility; and
an application programming interface executing on the communications device, the application programming interface interfacing to the at least one application and the device-specific data, the application programming interface communicating the request for access to the device-specific data to the remote authorization facility via the interface to request an authorization determination.
2. A system according to claim 1, wherein the device-specific data comprises at least one of International Mobile Equipment Identity information, subscriber identity module information, number assignment module information, mobile identification number information, electronic serial number information, chip- level information, phone book information, contact list information, position tracking information, electronic wallet information, scheduling information, billing information and messaging information.
3. A system according to claim 1, wherein the interface to the remote authorization facility comprises a wireless interface.
4. A system according to claim 1, wherein the communications device comprises at least one a cellular telephone and a network-enabled digital information device.
5. A system according to claim 1, wherein the remote authorization facility comprises a server.
6. A system according to claim 1, wherein the remote authorization facility comprises a store of authorization parameters.
7. A system according to claim 6, wherein the store of authorization parameters comprises at least a set of authorized application identifiers.
8. A system according to claim 7, wherein the authorization parameters further comprise authorization levels associated with the authorized application identifiers.
9. A system according to claim 1, wherein the at least one application comprises an application received via a wireless interface.
10. A system according to claim 1, wherein the authorization determination comprises one of at least a grant of access to the device-specific data, a denial of access to the device-specific data, a deferral of access to the device-specific data, and a request for further information for a further authorization determination.
PCT/US2003/040125 2002-12-31 2003-12-16 System and method for distributed authorization for access to communications device WO2004062243A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP03814848A EP1582053A4 (en) 2002-12-31 2003-12-16 System and method for distributed authorization for access to communications device
JP2004565539A JP2006514763A (en) 2002-12-31 2003-12-16 Distributed authentication system and method for permitting connection to communication device
AU2003297229A AU2003297229A1 (en) 2002-12-31 2003-12-16 System and method for distributed authorization for access to communications device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US33414102A 2002-12-31 2002-12-31
US10/334,141 2002-12-31

Publications (2)

Publication Number Publication Date
WO2004062243A2 true WO2004062243A2 (en) 2004-07-22
WO2004062243A3 WO2004062243A3 (en) 2004-08-26

Family

ID=32710862

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/040125 WO2004062243A2 (en) 2002-12-31 2003-12-16 System and method for distributed authorization for access to communications device

Country Status (6)

Country Link
EP (1) EP1582053A4 (en)
JP (1) JP2006514763A (en)
KR (1) KR20050096114A (en)
CN (1) CN1732674A (en)
AU (1) AU2003297229A1 (en)
WO (1) WO2004062243A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006164135A (en) * 2004-12-10 2006-06-22 Fujitsu Ltd Service processing method and program
WO2007076877A2 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method for customizing the operation of a telephonic terminal
JP2009509212A (en) * 2005-07-28 2009-03-05 エムフォメーション・テクノロジーズ・インコーポレイテッド System and method for remotely controlling device functionality
US8831223B2 (en) 2008-01-21 2014-09-09 Telefonaktiebolaget L M Ericsson (Publ) Abstraction function for mobile handsets
US20150195395A1 (en) * 2014-01-06 2015-07-09 Desiree Gina McDowell-White Secure Cloud-Based Phonebook
US9781109B2 (en) 2013-07-08 2017-10-03 Huawei Technologies Co., Ltd. Method, terminal device, and network device for improving information security

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100785782B1 (en) * 2005-11-17 2007-12-18 한국전자통신연구원 System of Privilege Delegation and Method Thereof
WO2008060300A1 (en) * 2006-11-16 2008-05-22 Dynomedia, Inc. Systems and methods for distributed digital rights management
US8321566B2 (en) * 2011-02-24 2012-11-27 Jibe Mobile System and method to control application to application communication over a network
CN104969176B (en) * 2013-01-29 2019-12-27 黑莓有限公司 Method, device and medium for managing access of application to certificate and secret key
CN104951715A (en) * 2015-06-11 2015-09-30 联想(北京)有限公司 Information processing method and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6326918B1 (en) * 1995-06-06 2001-12-04 Wayport, Inc. Method and apparatus for geographic-based communications service
US20020068554A1 (en) * 1999-04-09 2002-06-06 Steve Dusse Method and system facilitating web based provisioning of two-way mobile communications devices
US6529732B1 (en) * 1998-12-16 2003-03-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and service providing means for providing services in a telecommunication network

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH09319570A (en) * 1996-05-29 1997-12-12 Sanyo Electric Co Ltd License managing system for software
US5825877A (en) * 1996-06-11 1998-10-20 International Business Machines Corporation Support for portable trusted software
US6292833B1 (en) * 1998-07-17 2001-09-18 Openwave Systems Inc. Method and apparatus for providing access control to local services of mobile devices
JP2001117769A (en) * 1999-10-20 2001-04-27 Matsushita Electric Ind Co Ltd Program executing device
EP1107623A3 (en) * 1999-12-06 2002-01-02 Nokia Mobile Phones Ltd. Mobile station providing user-defined private zone for restricting access to user application data
JP2002041170A (en) * 2000-07-27 2002-02-08 Matsushita Electric Ind Co Ltd Program performance controller
JP3853140B2 (en) * 2000-08-08 2006-12-06 株式会社シーイーシー Software management system and accounting method
FR2822334A1 (en) * 2001-03-16 2002-09-20 Schlumberger Systems & Service Mobile telecommunications independent/secure subscriber identity module having module resource with control/associated policing control adapted controlling group command execution following function specific function police control.

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6326918B1 (en) * 1995-06-06 2001-12-04 Wayport, Inc. Method and apparatus for geographic-based communications service
US6529732B1 (en) * 1998-12-16 2003-03-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and service providing means for providing services in a telecommunication network
US20020068554A1 (en) * 1999-04-09 2002-06-06 Steve Dusse Method and system facilitating web based provisioning of two-way mobile communications devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1582053A2 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006164135A (en) * 2004-12-10 2006-06-22 Fujitsu Ltd Service processing method and program
JP2009509212A (en) * 2005-07-28 2009-03-05 エムフォメーション・テクノロジーズ・インコーポレイテッド System and method for remotely controlling device functionality
WO2007076877A2 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method for customizing the operation of a telephonic terminal
WO2007076877A3 (en) * 2005-12-30 2007-09-20 Telecom Italia Spa Method for customizing the operation of a telephonic terminal
US8831223B2 (en) 2008-01-21 2014-09-09 Telefonaktiebolaget L M Ericsson (Publ) Abstraction function for mobile handsets
US9781109B2 (en) 2013-07-08 2017-10-03 Huawei Technologies Co., Ltd. Method, terminal device, and network device for improving information security
US20150195395A1 (en) * 2014-01-06 2015-07-09 Desiree Gina McDowell-White Secure Cloud-Based Phonebook

Also Published As

Publication number Publication date
WO2004062243A3 (en) 2004-08-26
EP1582053A2 (en) 2005-10-05
AU2003297229A8 (en) 2004-07-29
CN1732674A (en) 2006-02-08
JP2006514763A (en) 2006-05-11
KR20050096114A (en) 2005-10-05
EP1582053A4 (en) 2006-04-12
AU2003297229A1 (en) 2004-07-29

Similar Documents

Publication Publication Date Title
US6591095B1 (en) Method and apparatus for designating administrative responsibilities in a mobile communications device
EP2941729B1 (en) Protection and confidentiality of trusted service manager data
US8577334B1 (en) Restricted testing access for electronic device
US9198026B2 (en) SIM lock for multi-SIM environment
US11671832B2 (en) Unified enterprise management of wireless devices in a controlled environment
EP1950681A1 (en) Mobile terminal, access control management device, and access control management method
US20100062808A1 (en) Universal integrated circuit card having a virtual subscriber identity module functionality
EP1542117A1 (en) Binding content to a user
KR101514753B1 (en) System and method for secure containment of sensitive financial information stored in a mobile communication terminal
EP1582052B1 (en) System and method for distributed authorization and deployment of over the air provisioning for a communications device
EP1582053A2 (en) System and method for distributed authorization for access to communications device
CN110876144A (en) Mobile application method, device and system of identity certificate
CN115186254A (en) Data access control method and device and terminal equipment
US10405183B2 (en) Purposed device system and method for smartphone
US11838985B2 (en) Policy-based management of embedded subscriber identity module (eSIM) profiles
US20200220858A1 (en) Subscriber Identity Management
CN113286289A (en) Permission confirmation method and electronic equipment
CN116669012A (en) Method for managing communication functions in a user equipment
CN116491141A (en) System and method for making SIM card micro platform
KR20090095697A (en) Mobile communication terminal for limiting use, server for opening service of subscriber, system and method using the same

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003814848

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2004565539

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 1020057012427

Country of ref document: KR

Ref document number: 20038A80253

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 2003814848

Country of ref document: EP

Ref document number: 1020057012427

Country of ref document: KR

WWW Wipo information: withdrawn in national office

Ref document number: 2003814848

Country of ref document: EP