This application claims priority from and the benefit under 35 U.S.C. §119(a) of Korean Patent Application No. 10-2011-0086859, filed on Aug. 29, 2011, which is hereby incorporated by reference for all purposes as if fully set forth herein.
1. Field
The following description relates to a method and portable device for controlling permission settings for an application, and more particularly, to a method and portable multifunction device for establishing and managing settings for permissions for an application to access secured resources.
2. Discussion of the Background
Portable device (hereinafter, it may be referred to as a ‘device’), such as a smartphone, a smart pad, a personal digital assistant (PDA), a tablet computer, and the like, may be used by a single user, and the usage characteristics, user's personal information, and the mobility information of the device of the single user may be personalized and be stored by the portable device. In addition, the portable device may be different from the desktop computer, since personal information of the user is often registered for subscribing to communication services using the portable device.
The portable device may use personal information and financial information of a user in mobile commerce services, and thus enhanced security for the personal information and financial information of the user may be considered by consumers. As evolved portable devices embedding an operating system similar to that of a desktop computer has emerged, demands for enhanced security for the portable devices have increased. However, due to different features of the portable devices, the security and safety of the device may not be maintained by the same method used for the desktop computer.
Further, current portable devices lack security-related information to be provided to a user. For example, Android operating system (OS) simply provides a general list of system resources in use. Thus, it may not be easy for a user to determine security risks of an application. Moreover, the user may not be clearly informed of types of personal information which may be used inappropriately by the application. Further, an importance level of each item using the system resources may not be shown to the user.
Exemplary embodiments of the present invention provide a method and portable device for controlling permission settings for an application to access secured resources.
Additional features of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention.
An exemplary embodiment of the present invention provides a portable device to control permissions, including a mode setting unit to select an access control mode for an application, the access control mode being associated with one or more permissions to manage resources of the portable device; an execution unit to execute the application in the access control mode; and an access control unit to control the one or more permissions for the application according to the access control mode.
An exemplary embodiment of the present invention provides a method for controlling permissions of a portable device, including selecting an access control mode for an application, the access control mode being associated with one or more permissions to manage resources of the portable device; executing the application in the access control mode; and controlling the one or more permissions for the application according to the access control mode.
An exemplary embodiment of the present invention provides a method for controlling permissions of a portable device, including requesting a permission to install an application; installing the application; displaying one or more access restriction modes during installing the application; receiving an input to select an access restriction mode; and modifying a permission setting according to the access restriction mode.
It is to be understood that both forgoing general descriptions and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. Other features and aspects will be apparent from the following detailed description, the drawings, and the claims.
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention, and together with the description serve to explain the principles of the invention.
Exemplary embodiments now will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments are shown. The present disclosure may, however, be embodied in many different forms and should not be construed as limited to the exemplary embodiments set forth therein. Rather, these exemplary embodiments are provided so that the present disclosure will be thorough and complete, and will fully convey the scope of the present disclosure to those skilled in the art. In the description, details of well-known features and techniques may be omitted to avoid unnecessarily obscuring the presented embodiments.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. Furthermore, the use of the terms a, an, etc. does not denote a limitation of quantity, but rather denotes the presence of at least one of the referenced item. The use of the terms “first”, “second”, and the like does not imply any particular order, but they are included to identify individual elements. Moreover, the use of the terms first, second, etc. does not denote any order or importance, but rather the terms first, second, etc. are used to distinguish one element from another. It will be further understood that the terms “comprises” and/or “comprising”, or “includes” and/or “including” when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that for the purposes of this disclosure, “at least one of” will be interpreted to mean any combination the enumerated elements following the respective language, including combination of multiples of the enumerated elements. For example, “at least one of X, Y, and Z” will be construed to mean X only, Y only, Z only, or any combination of two or more items X, Y, and Z (e.g. XYZ, XZ, XZZ, YZ, X).
Portable device 1 (hereinafter, it may be referred to as a “device”) may provide general communicating device operations and computer-supported operations including Internet communication and data search through wireless Internet connections. The device 1 may be a smartphone or a Smart Pad, or any present and future device having similar functions as a smartphone.
Referring to
The application domain 10 may include multiple applications 100 (App 1, App 2, and App n), and a mode setting unit 110. The mode setting unit 110 may classify permissions related to applications into groups according to various access control modes (for example, Mode 1, Mode 2, . . . , Mode n). Permissions related to authorization requested by the application will be described later with reference to
The mode setting unit 110 may selectively apply access restriction modes, for example, Mode 1, Mode 2, and Mode N, to each of the applications 100, for example, App 1, App 2, and App n. For example, as shown in
The mode setting unit 110 may extract permission information from at least one of applications installed in the portable device, and classify the extracted permission information into groups according to at least one of access control modes, i.e., game restriction mode, user access control mode, sleep mode, shared-file restriction mode, power save mode, do-not-track mode, call restriction mode, or the like. Further, the mode setting unit 110 may hierarchically categorize the permissions related to applications into groups. Specifically, as shown in
The framework domain 12 may control each application 100 (App 1, App 2, . . . , App n) and corresponding permissions. The framework domain 12 may include an access control unit 120 and an interface unit 122. The access control unit 120 may control an external access to an application on the basis of a group of access restriction modes by restricting or allowing the occurrence of a permission event which is included in the access restriction mode. The interface unit 122 may output the groups of access restriction modes in a display and receive a user's input to select a user permission setting for the access restriction mode. The access control unit 120 may control external access to the device, or restrict information leakage from the device according to the permission event. The permission event may refer to an event whereby the access control unit 120 determines whether to grant or deny permission for some action to occur.
The access control unit 120 may control the interface unit 122 to display a list of access restriction modes for each application or a list of applications for each access control mode during installing or executing an application. Further, the access control unit 120 may control the interface unit 122, thereby allowing the user to select the user permission setting for the access restriction mode. In response to the user's selection of user permission setting, the access control unit 120 may control an external access to the device or information leakage from the device by restricting or permitting the occurrence of a permission event according to a corresponding access control mode.
Further, the access control unit 120 may search for an access restriction mode related to a permission or permission setting requested by an application from groups of access restriction modes during the installation or an execution of the application, and control the interface unit 122 to display one or more searched access restriction modes. The access control unit 120 may control the interface unit 122, thereby allowing the user to select and input a user permission setting for the access restriction mode. The access control unit 120 may restrict or allow the occurrence of a permission event of the access restriction mode based on the user's selection of the permission setting.
As a result of a permission event, the access control unit 120 may provide resources or data to an application once permission for the application to access the resources or the data is allowed. If access permission is denied as a result of the permission event, a value of NULL may be returned, the application may be terminated, or a warning signal may be notified.
Referring to
Game restriction mode is to control the execution of files (for example, APK files of Android system) in association with a game category (i.e., game category of the Android Market or App Store). Sleep mode as safe mode is to restrict an access when the device is not in use for a certain period of time, such as when the user is sleeping. The sleep mode may include access restriction function with respect to permissions related to financial information access, file access, and SD card installation.
User access control mode is to restrict another user from executing a secured application in the device. The user access control mode may include personal information access restriction mode and financial information access restriction mode. If the personal information access restriction mode is activated by the user, no application is allowed to access personal information. The personal information access restriction mode may restrict access to permissions related to address book access restriction, message sending restriction, system information access restriction, and location information access restriction.
The shared file restriction mode is to prevent a leakage of a file by restricting an access to the file. The shared file restriction mode may control access to permissions related to file access restriction, network access restriction, and SD card installation restriction. The power save mode is to control operations of the device that cause higher battery consumption. The power save mode may restrict access to permissions related to network access restriction and hardware control restriction.
The do-not-track mode is to control the provision of location information of the portable device. The do-not-track mode restricts access to permission related to location information, such as global positioning system (GPS) information. The call control mode is to control call operations such as voice call, video call, and the like. The exemplary embodiments described herein with reference to
Referring to
For example, if the portable device has an Android-based operating system, location-related permissions, such as ACCESS_FINE_LOCATION, CONTROL_LOCATION_UPDATE, and READ_CONTACTS, may be managed in location information restriction mode. In network access restriction mode, network-related permissions, such as ACCESS_WIFI_STATE, BLUETOOTH, WRITE_APN_SETTINGSAPN, ACCESS COARSE_LOCATION, CHANGE_NETWORK_STATE, CHANGE_WIFI_STATE, and INTERNET, may be managed. In contact book access restriction mode, contact information-related permissions, such as WRITE_CONTACTS, may be managed. In message sending restriction mode, message-related permissions, such as WRITE_SMS, may be managed. In system information restriction mode, system information-related permissions, such as WRITE_SETTINGS, and CHANGE_CONFIGURATION, may be managed. In file access restriction mode, file system-related permissions, such as MOUNT_UNMOUNT_FILESYSTEMS, may be managed. In SD card restriction mode, SD card access-related permissions, such as INSTALL_PACKAGES, may be managed.
In personal information restriction mode, personal information-related permissions, such as WRITE_CALENDAR, CLEAR_APP_USER_DATA, an READ_CALENDAR, may be managed. In hardware control restriction mode, hardware operation-related permissions, such as VIBRATE, and CAMERA, may be managed. In call restriction mode, call-related permissions, such as CALL_PHONE, and CALL_PRIVILEGED, may be managed.
For a portable device capable of installing various applications, permissions offered during installing an application may be confusing for a user to understand. Thus, it may be difficult for the user to make a decision for selecting specific permission settings for the application during installing or deleting the application. For example, the android comic viewer (ACV) of the Android OS for reading a comic book or a magazine may provide a user interface during installation for the user to select permissions to be allowed to the application with respect to, for example, storage (modify/delete SD card contents), network communication (full Internet access), and the like. In this case, the user may become confused during installing or deleting the application due to the complicated security information or insufficient security information.
Thus, as shown in
A list of applications per an access restriction mode may be provided upon executing an application of a device. Further, a list of access restriction modes that can be applied for an application may be provided. For example, as shown in
Referring to
Further, the device 1 may restrict or allow the occurrence of a permission event included in each access restriction mode to control the access from outside of the device 1 or leakage of information with respect to the permission information of the access restriction mode in operation 610.
For example, the device 1 may display a list of access restriction modes of each application or a list of applications of each access restriction mode during installing or executing an application. Further, the user may select a user permission associated with the access restriction mode. In response to the user's selection of the user permission, the device 1 may restrict or allow the occurrence of a permission event of the corresponding access restriction mode.
Further, the device 1 may search for an access restriction mode related to a permission requested by an application during installation or execution of the application from groups of access restriction modes, and display searched access restriction modes. Then, the user may select a user permission setting for the access restriction mode and input the selection. If the application was previously installed, the user may have already selected the permission setting, in which case the step of the user selecting user permission setting may be omitted during the application execution as described here. If the permission for the application is allowed in response to the user's selection or a pre-set permission setting, resource or data requested by the application may be provided according to the permission setting, and if the permission is denied, a value of NULL may be returned, the application may be terminated, or a warning signal may be notified.
Referring to
The device 1 may search for an access restriction mode based on permissions requested by the application, and display searched access restriction mode in operation 760. The user may select and input a user permission setting for the searched access restriction mode in operation 770. The user may modify a permission setting for an access restriction mode for permissions requested by the application in operation 780.
Referring to
Referring to
Referring to
According to exemplary embodiments of the present invention, a user may understand better the information related to security of an application. Since the security-related information is classified into groups, and the groups of information are provided to a user, the user may understand the security-related information. Since many users do not have knowledge on system terminologies (for example, IMEI), the users may not recognize a potential security threat that may occur when using security-related resource. However, according to the exemplary embodiments of the present invention, even in absence of knowledge of system terminologies or security-related resources, the user may set permissions using security-related information which is classified into groups or access restriction modes, and thus the security-related information including personal data may be prevented from being leaked.
Further, the portable device may assist the user evaluate the security risk in installing and deleting an application from an untrusted source. Because device applications are generally created by individual developers, they may be much less reliable in comparison with computer applications. However, preventing installation or execution of all device applications that use system information may lead to inconvenience to the user.
According to the exemplary embodiments of the present invention, the user may search for an access restriction mode from groups of access restriction modes that are classified, and modify permission settings for each access restriction mode. Therefore, the user may be able to recognize a potential security risk of each application, and may decide which application to be installed, executed, or deleted.
Moreover, while the device is not in use, an external access to the security-related information containing important personal data may be prevented to avoid information leakage, and applications may be prevented from accessing resources.
Furthermore, an application may be prevented from accessing system information from a background due to malicious code, since the device may have a risk that may not be recognized by a user. For example, if a malicious developer designs an application such that an application shortcut icon is hidden, the user of the device may not be aware of the presence of the application after installation. However, according to the present invention, permissions to access resource may be set for each application, and thus an access to resources by a malicious user may be prevented.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
Number | Date | Country | Kind |
---|---|---|---|
10-2011-0086859 | Aug 2011 | KR | national |