The present description relates to methods and systems for the encapsulation of applications and more particularly, the encapsulation of applications for the adaptive loading of such applications.
In an effort to increase productivity, many employers allow their workers to conduct business related to the employer on their personal mobile devices. In some cases, employers also provide some of their employees with company-issued mobile devices. In either arrangement, an employer understands that a single device may include sensitive data related to that employer in addition to data that is personal to the employee. Several advances have been made in an effort to protect an employer's data in these circumstances. For example, OpenPeak Inc. of Boca Raton, Fla. has developed solutions that enable a mobile device to include both enterprise and personal data but that isolate the enterprise data from the personal data. As part of these solutions, an employee may download secure applications that may be used to conduct transactions related to the enterprise, but these secure applications are prevented from exchanging data with conventional or non-secure applications.
These secure applications are typically altered to enable management of the applications and for security purposes, a process sometimes referred to as “wrapping” the application. In certain cases, an application is wrapped by manipulating the binary of the application and inserting code in the application to enable the interception of calls to and from the application. This process can increase the functionality of the application and can make it secure, as described above. There may be times, however, when the structure of the secure application is incompatible with the requirements of an entity that operates an application store to which the secure application is intended to be uploaded.
A method of encapsulating a target application is described herein. The method can include the step of performing an analysis of the target application to determine one or more characteristics of the target application. Based on the analysis of the target application, a blueprint of the target application can be generated. Based on the blueprint, an encapsulation application for the target application can be constructed. The method can also include the step of encapsulating the target application with the encapsulation application to create an encapsulated target application to enable adaptive loading of the target application.
In one arrangement, the encapsulation application can include a text segment and a data segment. Encapsulating the target application can include the steps of padding the text segment and the data segment of the encapsulation application and extracting a text segment and a data segment of the target application. Encapsulating the target application can also include the step of writing the text segment and the data segment of the target application in the padding of the text segment and the data segment of the encapsulation application. The method can further include the step of providing the encapsulated target application to an application repository.
The method can also include the step of identifying a starting point of the text segment and the data segment of the encapsulation application and a corresponding starting point for the text segment and the data segment of the target application. In addition, writing the text segment and the data segment of the target application may include writing the text segment and the data segment of the target application beginning at the starting point of the text segment and the data segment of the encapsulation application. Padding the text segment and the data segment of the encapsulation application may be based on the blueprint of the target application.
Another method of encapsulating an application is described herein. The method can include the step of analyzing a target application to determine one or more characteristics of the target application. Based on the analysis, an encapsulation application can be constructed. In addition, the method can include the step of encapsulating the target application with the encapsulation application to create an encapsulated target application that is configured to enable adaptive loading of the target application when the encapsulated target application is loaded into memory.
As an example, encapsulating the target application with the encapsulation applications can include reserving a portion of the encapsulation application to receive at least a portion of the target application and writing the portion of the target application into the reserved portion of the encapsulation application. As another example, reserving the portion of the encapsulation application may include padding predetermined sections of the encapsulation application. Also, writing the portion of the target application may include writing corresponding predetermined sections of the target application into the predetermined sections of the encapsulation application. The method can further include the step of receiving the target application from a developer of the target application.
A system for encapsulating a target application is also described herein. The system can include an interface that is configured to receive the target application and a linker that can be communicatively coupled to the interface. In one arrangement, the linker can include an analyzer that can be configured to analyze the target application to determine one or more characteristics of the target application and to generate a blueprint of the target application based on the analysis of the target application. The linker can also include a compiler that can be communicatively coupled to the analyzer. The compiler can be configured to construct an encapsulation application based on the blueprint of the target application and to encapsulate the target application with the encapsulation application to create an encapsulated target application. The encapsulated target application can be configured to enable adaptive loading of the target application.
In one arrangement, the compiler may be configured to encapsulate the target application with the encapsulation application by (1) identifying a portion of the encapsulation application; (2) reserving the portion of the encapsulation application for the target application; and (3) writing at least a portion of the target application into the reserved portion of the encapsulation application. In addition, the compiler may be configured to reserve the portion of the encapsulation application by writing non-functional code into the identified portions of the encapsulation application. The compiler may also be configured to write the portion of the target application by overwriting the non-functional code in the identified portions of the encapsulation application with the portion of the target application. In another arrangement, the compiler may be configured to extract data from the target application so that the compiler is able to write the portion of the target application into the reserved portion of the encapsulation application. The interface of the system may be further configured to send the encapsulated target application to an application store for eventual distribution.
Another method of encapsulating a target application is described herein. This method can include the steps of performing an analysis of the target application to determine one or more characteristics of the target application and based on the analysis of the target application and generating a blueprint for the target application. Based on the blueprint, an encapsulation application for the target application can be constructed. The method can also include the steps of encapsulating the target application with the encapsulation application to create an encapsulated target application and loading the encapsulation application in memory. Memory can be allocated for the encapsulated target application, and the encapsulated target application can be remapped into the allocated memory. Additionally, the encapsulated target application can be configured to enable the calls of the encapsulated target application to be intercepted by the encapsulation application. Each of the steps of the methods described above can be performed or facilitated by one or more processing units or other similar hardware components, including individually or working in tandem with one or more other devices or components.
A non-transitory computer readable storage medium having stored thereon computer readable program code is also described herein. The computer readable program code, when executed by a system comprising a processing unit and a memory, can cause the system to perform an analysis of a target application to determine one or more characteristics of the target application and based on the analysis, construct an encapsulation application for the target application. The computer readable program code, when executed by the system, can also cause the system to encapsulate the target application with the encapsulation application to create an encapsulated target application to enable adaptive loading of the target application.
In one example, the encapsulation application includes a text segment and a data segment. The computer readable code may further cause the system to encapsulate the target application by (1) padding the text segment and the data segment of the encapsulation application; (2) extracting a text segment and a data segment of the target application; and (3) writing the text segment and the data segment of the target application in the padding of the text segment and the data segment of the encapsulation application. The computer readable code can further cause the system to pad the text segment and the data segment of the encapsulation application based on the blueprint of the target application. In another example, the computer readable code can cause the system to pad the text segment and the data segment by appending the text segment and the data segment with non-functional code that is to be overridden with other code at a later time.
Further features and advantage, as well as the structure and operation of various embodiments, are described in detail below with reference to the accompanying drawings. It is noted that this description is not limited to the specific embodiments presented herein. Such embodiments are provided for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
The accompanying drawings, which are incorporated herein and form part of the specification, illustrate embodiments of the subject matter described herein and, together with the description, further serve to explain the principles of such subject matter and to enable a person skilled in the relevant art(s) to make and use the subject matter.
Applicants expressly disclaim any rights to any third-party trademarks or copyrighted images included in the figures. Such marks and images have been included for illustrative purposes only and constitute the sole property of their respective owners.
The features and advantages of the embodiments herein will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements.
The following detailed description refers to the accompanying drawings that illustrate exemplary embodiments; however, the scope of the present claims is not limited to these embodiments. Thus, embodiments beyond those shown in the accompanying drawings, such as modified versions of the illustrated embodiments, may nevertheless be encompassed by the present claims.
References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” “one arrangement,” “an arrangement” or the like, indicate that the embodiment or arrangement described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment or arrangement. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment or arrangement, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments or arrangements whether or not explicitly described. The term “among,” as it is used throughout this description, should not necessarily be interpreted as requiring exchanges or interaction among three or more applications, irrespective of grammar rules. The word “a” is defined as one or more.
Several definitions that apply throughout this document will now be presented. The term “exemplary” as used herein is defined as an example or an instance of an object, apparatus, system, entity, composition, method, step or process. The term “communicatively coupled” is defined as a state in which two or more components are connected such that communication signals are able to be exchanged (directly or indirectly) between the components on a unidirectional or bidirectional (or multi-directional) manner, either wirelessly, through a wired connection or a combination of both. A “computing device” is defined as a component that includes one or more processing units and memory and that is configured to perform some process or function for a user and includes both mobile and non-mobile devices. The term “non-transitory computer readable storage medium” is defined as one or more non-transitory components that are configured to store instructions that are to be executed by one or more processing units.
An “application” is defined as a program or programs that perform one or more particular tasks on a computing device. Examples of an application include programs that may present a user interface for interaction with a user or that may run in the background of an operating environment that may not present a user interface while in the background. The term “operating system” is defined as a collection of software components that directs a computing device's operations, including controlling and scheduling the execution of other programs and managing storage, input/output and communication resources. A “processing unit” is defined as one or more components that execute sets of instructions, and the components may be disparate parts or part of a whole unit and may not necessarily be located in the same physical location. The term “memory” or “memory element” is defined as one or more components that are configured to store data, either on a temporary or persistent basis. The term “shared memory” is memory or a memory element that is accessible (directly or indirectly) by two or more applications or other processes. An “interface” is defined as a component or a group of components that enable(s) a device to communicate with one or more different devices, whether through hard-wired connections, wireless connections or a combination of both.
The term “file system” is defined as an abstraction that is used to organize, store and retrieve data. The term “secure application” is defined as an application that has been modified to restrict communications between the application and unauthorized programs or devices, restrict operation of the application based on policy, or to alter, augment or add features associated with the operation of the application. A “target application” is defined as an application that has been selected for conversion into a secure application. A “characteristic” of an application is defined as a feature, quality, property or attribute of the application, examples of which will be provided below. A “blueprint” of an application is a set of characteristics of an application. The term “encapsulation application” is defined as an application that is created for purposes of encapsulating a target application, and an “encapsulated target application” is defined as a target application that has been encapsulated by an encapsulation application. The term “encapsulate” is defined as writing or otherwise inserting at least a portion of the code of a target application into another application to enable adaptive loading of the target application. The term “adaptive loading” is defined as a process by which an encapsulation application simulates a system loader by serving as a dynamic loader for an encapsulated target application when the encapsulated target application is loaded into memory.
The term “encryption engine” is defined as a component or a group of components that encrypt data, decrypt data or encrypt and decrypt data. A “linker” is defined as a combination of hardware and software components that is configured to combine a number of files to form an executable. An “analyzer” is a combination of hardware and software components that is configured to analyze a target application to determine the characteristics of the target application. A “compiler” is defined as a combination of hardware and software components that is configured to construct encapsulation applications and to encapsulate target application with the encapsulation application, as described herein, including through any necessary language translations.
As explained earlier, solutions have been developed to enable employees of an enterprise to carry mobile devices that include both enterprise and personal data, with the enterprise data being isolated from the personal data. As part of these solutions, one or more secure applications may be installed on an employee's mobile device. Ensuring that these secure applications are compatible with various formats is an issue that must be resolved.
As part of this resolution, a system and method for encapsulating a target application are presented herein. In particular, an analysis of the target application can be performed to determine one or more characteristics of the target application. Based on the analysis of the target application, a blueprint of the target application can be generated. Based on the blueprint, an encapsulation application can be constructed for the target application. In addition, the target application can be encapsulated with the encapsulation application to create an encapsulated target application to enable adaptive loading of the target application.
Through adaptive loading, the target application may be managed and controlled like a conventional or typical wrapped application. The target application, however, may be compatible with the various requirements for installation into certain application stores. As such, secure applications can be easily generated and distributed through the normal channels for doing so.
Referring to
The application developer portal 105 can present an interface that enables developers of applications to upload their applications for eventual publication in the application store 120. The application store 120, as is known in the art, can enable users of the portable computing devices 125 to install such published applications on their devices 125. In some cases, the applications from the application developers may be directed to the management unit 115 prior to being published in the application store 120. Through the management unit 115, the applications may be modified such that they are more conducive for operation on behalf of an enterprise or other organization. For example, the applications may be converted into secure or wrapped applications, a process in which certain functions of the application may be restricted or enhanced, depending on input from the enterprise. Examples of this process are known in the art, and additional information may be obtained from U.S. patent application Ser. No. 13/626,470, filed on Sep. 25, 2012, and U.S. patent application Ser. No. 14/036,415, filed on Sep. 25, 2013, each of which is herein incorporated by reference in its entirety.
Once a secure application is generated, it can be published in the application store 120, similar to a conventional application that has been published. An application that has been selected for conversion into a secure application by the management unit 115 (or some other component) may be referred to as a target application.
The network 110 can facilitate communications between any of the components of the system 100. As mentioned earlier, there may be multiple networks 110 in the system 100, and each network 110 may be composed of various types of components to support wireless or wired communications (including both). In addition, the network(s) 110 may be configured to support both local or wide area communications (or both).
Referring to
The interface 205 can be configured to receive target applications from the application developer portal 105 or from other appropriate sources. The memory 215 can include persistent or non-persistent memory (or both), which can be useful for storing programs and other instructions for carrying out the processes described herein. The I/O element 220 can include any suitable device that enables a human or machine to provide input to or receive output from the management unit 115. The linker 225, the analyzer 230 and the compiler 235 can be comprised of any suitable combination of hardware and software to facilitate the encapsulation of target applications and the adaptive loading of such applications. For example, the analyzer 230 can be configured to analyze the incoming target applications to determine their characteristics, and this information can be used by the compiler to construct an encapsulation application to encapsulate the target application. Additional description of this process will be presented below.
Referring to
The portable computing device 125 can also include one or more processing units 320, one or more interfaces 325, one or more memory elements 330, one or more system loaders 335, and one or more memory management units 340. As is known in the art, the device 125 may also include one or more abstraction layers that include system interfaces and that facilitate operation of the applications 305 and other functions of the device 125. As is also known in the art, the device 125 can include a kernel (not shown), which provides interfaces for the abstraction layers to interact with any suitable number and type of hardware components.
The processing unit 320 can be communicatively coupled to any number of the components of the device 125 and may be responsible for controlling or directing their operations. In one arrangement, the interface 325 can be configured to enable communications between the computing device 125 and any external devices or networks, such as the network 110. In particular, the interface 325 can support wired or wireless communications, over local or wide area networks. Through this interface 325, the portable computing device 125 can download the applications 305, including the encapsulation applications 310 that have encapsulated the target applications 315. As there are many different forms of communications and protocols, the computing device 125 can include any suitable number of interfaces 325.
The memory element 330 may be accessible by the applications 305 and other components of the computing device 125. The memory element 330 may be a combination of memory components and may include both persistent and non-persistent types. In addition, the memory element 330 and other components of the computing device 125 may be configured to support virtual memory, which can increase the efficiency of the device 125. As is known in the art, the system loader 335 can be any suitable combination of hardware and software to enable the loading and execution of any of the applications 305 installed on the device 125, include the encapsulation application 310. As will be explained below, the encapsulation application 310 can be configured to simulate the system loader 335 to enable the runtime execution of the target application 315. The memory management unit 340 can manage the memory element 330 in accordance with well-known principles. The foregoing listing of components with respect to the portable computing device 125 is not meant to be exhaustive, as the device 125 may include any suitable number and type of such components, including even fewer than are pictured here.
In one example, the portable computing device 125 may be a managed device, which enables a party to control certain aspects of the device 125, including the type of content that may be delivered to the device 125. Earlier presentations have been provided that illustrate a solution that describes some of these techniques, such as in U.S. patent application Ser. No. 13/179,513, filed on Jul. 9, 2011, which is incorporated by reference herein in its entirety. It is not necessary, however, for the device 125 to be a managed device to practice the processes described herein.
Referring to
At step 405, an analysis of a target application can be performed to determine one or more characteristics of the target application. At step 410, based on the analysis of the target application, a blueprint of the target application can be generated. At step 415, based on the blueprint, an encapsulation application can be constructed for the target application. The target application can be encapsulated with the encapsulation application, which can create an encapsulated target application to enable adaptive loading of the target application, as shown at step 420.
Steps 425-435 present one example of how the target application can be encapsulated by the encapsulation application. In particular, at step 425, segments or portions of the encapsulation application can be padded, and segments or portions of the target application can be extracted, as shown at step 430. As an example, the portions of the target application that are extracted can correspond to the portions of the encapsulation application that are padded. At step 435, the extracted segments of the target application can be written into the padding of the encapsulation application.
Examples of the steps of
Based on this analysis, the analyzer 230 can generate a blueprint of the target application 315. The blueprint can include the information associated with the analysis of the target application 315, and the compiler 235 can construct the encapsulation application 310 based on this blueprint. Referring to
Once the encapsulation application 310 is constructed, the linker 225 can locate certain symbols in the segments of the encapsulation application 310 and can open the binary of the encapsulation application 310. The linker 225 can also extract the data from the target application 315. For example, the linker 225 can identify an app start symbol in the sections of the encapsulation application 310 and can extract the corresponding sections of the target application 315. To accommodate the data from the target application 315, the linker 225 can pad or grow the original sections of the encapsulation application 315. For example, as shown in
The linker 225 can then write the relevant sections of the target application 315 into, for example, the padding 520 of the corresponding sections of the encapsulation application 310, starting at the relevant start symbol of these sections. An example of this process is shown in
When the target application 315 is written into the encapsulation application 310, it can be referred to as an encapsulated target application 540. As will be explained below, this process can enable adaptive loading of the target application 315. The encapsulated target application 540 can then be delivered to the application store 120 or some other component by the management unit 115 or some other device. Eventually, the encapsulated target application 540 can be installed on the portable computing device 125.
Referring back to
Examples of the remaining steps of
When the encapsulation application 310 is loaded into the memory 330, the system loader 335 of the device 125 can access the relevant sections of the encapsulation application 310 to facilitate this process. For example, the system loader 335 can parse the encapsulation application 310 and can load the application 310 as it would for a conventional application 305 installed on the portable computing device 125.
Once the encapsulation application 310 is loaded in the memory 330, the system loader 335 can hand off control to the encapsulation application 310. In turn, the encapsulation application 310 can simulate the operation of the system loader 335 by facilitating the loading of the target application 315 that has been encapsulated into the memory 330. That is, the encapsulation application 310 can adaptively load the target application 310. A representation of this process is shown in
In one arrangement, the encapsulation application 310, in conjunction with the memory management unit 340, can allocate memory for the target application 315 that has been encapsulated and can remap the target application 315 into the memory 330. For efficiency, the remap of the target application can involve a virtual memory remap. Through this process, the original target application 315 can be constructed in the memory 330. That is, the original code of the target application 315 can be remapped to another part of the memory 330, which is shown on the right side of the drawing of
Thus, as reflected in
As part of the loading process, the encapsulation application 310 can configure the target application 315 to enable the encapsulation application 310 to intercept the calls of the target application 310. For example, the encapsulation application 310 can determine one or more entry points of the target application 315 and can modify the entry point of the target application 315 to cause it to point back to an entry point of the encapsulation application 310. As such, when the target application 315 is executed, the process can point to an override entry point in the encapsulation application 310, and the code of the encapsulation application 310 can be executed.
As part of this execution, one or more calls associated with the target application 315 can be hooked by the encapsulation application 310, thereby enabling these calls to be intercepted. The calls can be related to virtually any function or feature of the target application 315, including I/O calls and socket calls. Once completed, the process can jump back to the original entry point of the target application 315. At this point, the target application 315 may execute as it normally would, but its functions have been hooked. For example, if the target application 315 generates a call to write data to a certain location, because the call is hooked, the data may be encrypted prior to being written, a feature that may have not been available on the target application 315 as originally constructed. As referenced earlier, this technique is facilitated by the encapsulation application 310 and the target application 315 being part of the same process space. Moreover, the target application 315, because it is under the control of or at least being managed by the encapsulation application 310, may be a secure application. Additional information on the interception of calls from a secure application can be found in the '470 patent application, referenced above.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be understood by those skilled in the relevant art(s) that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined in the appended claims. Accordingly, the breadth and scope of the present invention should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
This patent application claims priority to U.S. Provisional Patent Application No. 61/892,584, filed on Oct. 18, 2013, which is incorporated herein by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
61892584 | Oct 2013 | US |