Note: Descriptions are shown in the official language in which they were submitted.
CA 02805235 2013-02-07
METHOD AND APPARATUS FOR SEPARATION OF CONNECTION DATA BY
PERIMETER TYPE
FIELD OF THE DISCLOSURE
[0001] The present disclosure relates to mobile connectivity, and in
particular relates to
data connection between a device and network.
BACKGROUND
[0002]One or more applications on mobile device may occasionally wish make a
network/data connection with a network element in some cases. Such a network
connection may include a virtual private network (VPN), where a VPN is a
private
communications network used to communicate confidentially over a publicly
accessible
network. VPN message traffic can be carried over a public network
infrastructure (e.g.
the Internet) on top of standard protocols. VPNs are used, for example, to
enable
employees to connect securely to a corporate network. In other cases the
network
connection may be a connection to a WiFi network over a WiFi interface.
L0003] Standard routing rules for network connectivity may not be suitable for
VPN
connections since various network interfaces are incompatible with VPN
connectivity.
For example, certain cellular networks include non-Internet protocol (IP)
interfaces. In
other situations, a network interface may be virtual and not usable for VPN
connections.
[0004]Further, interfaces may not be permanent for mobile connectivity. In
particular,
an interface may be added or become unavailable periodically. VPNs connected
to
interfaces that go down are affected. Also, a new interface may be better for
a VPN than
a currently used interface.
1
CA 02805235 2013-02-07
BRIEF DESCRIPTION OF THE DRAWINGS
[0005]The present disclosure will be better understood with reference to the
drawings,
in which:
Figure 1 is an exemplary block diagram showing an example computing device;
Figure 2 is a block diagram showing an example prioritized interface status
list;
Figure 3 is a flow diagram showing an example connection of a virtual private
network (VPN) over a prioritized connection;
Figure 4 is a flow diagram showing an example of updating of an interface
status
list;
Figure 5 is a flow diagram showing an example of maintenance of an interface
status list;
Figure 6 is a block diagram showing an example of a list associating network
connections and VPN connection profiles;
Figure 7 is a block diagram showing an example of a prioritized interface
status
list also associating network connections and VPN connection profiles;
Figure 8 is a flow diagram showing example maintenance of an interface status
list associating VPN profiles;
Figure 9 is a block diagram showing an example application and data memory
on a mobile device;
Figure 10 is a block diagram showing an example of the connection of a
corporate device to a personal device;
Figure 11 is a block diagram showing an example of connection of applications
on a mobile device through a physical layer to a corporate network or the
Internet;
Figure 12 is a block diagram showing an example connection of applications on
a mobile device through a bridge to a corporate network or the Internet;
Figure 13 is a flow diagram showing example designation of profiles to a
perimeter;
Figure 14 is an example system architecture diagram for a mobile device; and
2
CA 02805235 2013-02-07
Figure 15 is a block diagram showing an example mobile device capable of
being used with the present disclosure.
DETAILED DESCRIPTION
[0006]The present disclosure provides a mobile device having one or more
applications, a plurality of modes of operation and one or more network
connections,
each network connection associated with one of one or more network connection
profiles and each application associated with one of the plurality of modes of
operation,
the method comprising: associating each of the one or more network connection
profiles
with at least one of the plurality of modes of operation; and restricting
access to each of
the one or more network connections to only those applications associated with
the
same mode of operation as the network connection profile associated with the
network
connection.
[0007]The present disclosure further provides a user equipment comprising: a
processor; and a communications subsystem, wherein the user equipment is
configured
to: associate each network connection with one of one or more network
connection
profiles and each application with one or more of a plurality of modes of
operation;
associate used to establish a network connection on the mobile device with at
least one
of a plurality of modes of operation; and restrict access to each of the one
or more
network connections to only those applications associated with the same mode
of
operation as the network connection profile associated with the network
connection.
(0008] The present disclosure provides for a mobile device, but is not meant
to be
limited to any particular mobile device. Examples of mobile devices can
include, for
example, smart phones, personal digital assistants, data enabled cellular
telephones,
tablet computers, among others.
[0009] Reference is now made to Figure 1, which shows an exemplary simplified
diagram of a computing device 100. Computing device 100 may comprise a tablet,
3
CA 02805235 2013-02-07
mobile device, personal computer, laptop computer, among others. The
embodiment of
Figure 1 is however not meant to be limiting and other devices could be used.
(0010] Computing device 100 generally includes a processor 138, which controls
the
overall operation of the device. Processor 138 interacts with device
subsystems such
as the display 122, memory 124, auxiliary input/output (I/O) subsystems 128,
serial port
130, one or more keyboards or keypads 132, where keyboard or keypad 132 may
comprise a physical keyboard or a virtual keyboard or both, one or more
speakers 134,
microphone 136, other communication subsystem 140 such as a short-range
communications subsystem, including Bluetooth and near field communications,
and
any other device subsystems generally designated as 142. Serial port 130 could
include a USB port or other port.
[0011]Memory 124 may be segregated into various modes of operation, sometimes
referred to as perimeters, as described below. Such segregation may be
physical or
logical. Operating system software used by the processor 138 may be stored in
memory
124. The operating system, specific device applications, or parts thereof, may
be
temporarily loaded into a volatile memory such as RAM 126.
[0012]Applications may be loaded onto the device and associated with a mode of
operation (also called a 'perimeter') in some cases. In some embodiments, such
applications and data for the application may be stored in memory and
associated with
the perimeter. For example, separate areas of memory may be used to store the
applications or data for each perimeter in some embodiments. In other
embodiments,
applications or data may be encrypted with a key associated with a perimeter
and
applications or data for a plurality of perimeters may be stored together.
Other options
are possible.
[0013] In some embodiments, computing device 100 may optionally include a
communications subsystem 111 capable of communication with a data access
point.
Such data access point may include a cellular network or Wi-Fi or WiMAX
network,
4
CA 02805235 2013-02-07
among others. In further embodiments, computing device 100 may be capable of
voice
communications.
[0014] Various embodiments of the present disclosure relate to network
connections
such as virtual private networks. A network connection, as used herein, is a
link
between a network element and the mobile device in order to facilitate data
exchange
between the network element and the mobile device. The link may be over
private
resources such as within a corporate local area network, or may be over a
public
network infrastructure. Examples of network connections include VPN
connections,
WiFi connections over a WiFi interface, among others.
[0015] As indicated above, a VPN is a private communications network used to
communicate confidentially over a publicly accessible network. VPN message
traffic can
be carried over a public network infrastructure (e.g. the Internet) on top of
standard
protocols. VPNs are used, for example, to enable employees to connect securely
to a
corporate network. Examples of VPN protocols, for example, may include the
Internet
Protocol Security (IPSec) standard defined by the Internet Engineering Task
Force
(IETF), Layer 2 Tunneling Protocol (L2TP) or Secure Sockets Layer (SSL) VPN,
Point
to Point Tunneling Protocol (PPTP), among others.
[0016] In accordance with one embodiment of the present disclosure, a method
and
apparatus are provided for an automatic interface selection for network
connections
such as VPN connections. While the description below may refer specifically to
VPN
connections, those of skill in the art will understand that other types of
network
connections are within the scope of the disclosure. As mentioned above, the
standard
routing rules for network connectivity may be unsuitable for certain network
connections
such as VPN connections since various network interfaces are incompatible with
VPN
connectivity. For example, certain cellular networks include non-Internet
protocol (IP)
interfaces. In other situations, a network interface may be virtual, and it
may be
undesirable to establish a VPN connection over a virtual network interface
CA 02805235 2013-02-07
[0017]Further, interfaces may not be permanent for mobile connectivity. In
particular,
an interface may be added or become unavailable periodically.
[0018]In accordance with some embodiments of the present disclosure, an
interface
status list is provided. Statuses provided by a core networking component on a
device
may be read and the VPN usable interfaces may be distinguished from unusable
interfaces by a processor on the device. In particular, reference is made to
Table 1
below.
Interface type Internet Behavior
Available
Virtual Ignore
Physical, not VPN-friendly - Ignore
Physical, VPN-friendly No Monitor
Yes Monitor, available for VPN Login
TABLE 1: Example Interface Status List Criteria
[0019]In the example seen in Table 1 above, three types of interfaces are
provided.
For virtual interfaces, since it may be undesirable to establish a VPN over
such an
interface, the behaviour for the interface for VPN connectivity in this
example is to
ignore the interface type.
[0020]A second interface type includes a physical, non-VPN friendly interface.
As
indicated above, this may include a cellular connection with non-IP
limitations. This
interface type is again ignored in this example.
[0021]A third interface type is a physical, VPN friendly interface. For such
interfaces,
the interface may or may not be available. If the interface is available, as
shown in the
second column of Table 1, then the device may monitor and may use the
interface for
VPN log in. Conversely, if the interface is not available, then the mobile
device may
continue to monitor the interface in case it becomes available for VPN login.
An
interface is available if a VPN connection can be established over it.
6
CA 02805235 2013-02-07
. [0022]For each interface available to a device, the interface is classified
by interface
type and put into an interface status list such as Table 1 above. Once the
interface
status list is built, changes to an interface may be monitored to detect when
the
interface goes up or down. The interface status list may be used to present
the
existence or absence of a VPN capable interface. If an interface goes up, it
may
become a candidate for a VPN connection if the interface type is physical VPN
friendly.
In this case, automatic selection may occur if a VPN login is requested
without an
interface being explicitly specified.
[0023]Similarly, if an interface goes down while being used for a VPN session,
the
detection of the interface going down may be used to clean up the VPN
processes'
internal state.
[0024]The interfaces available may be sorted based on a priority order. In
particular,
reference is now made to Table 2 showing an example of such a priority
ordering.
VPN-Friendly Interfaces, by Priority
Wired
Wi-Fi
Cellular (IP-capable interfaces)
BlueToothi m (tethering)
TABLE 2: Example Interface Priority
[0025]As seen from the exemplary Table 2 above, the VPN friendly interfaces
may be
sorted based on whether the interface is wired, Wi-Fi, cellular or Bluetooth.
The
ordering of Table 2 is, however, not meant to be limiting, and is only an
example.
Further, the connection types are not limiting, and other network connection
types, such
as WiMAX, IrDA, near field communications, among others, are possible.
(0026] From the example of Table 2, a wired interface may be considered by a
device to
be the highest priority since this interface may be the fastest and most
reliable.
Similarly, a Wi-Fi interface may be more desirable than a cellular interface
because
more data throughput is possible over the Wi-Fi connection, in some cases.
7
CA 02805235 2013-02-07
[00271 Finally a Bluetooth interface may be the lowest priority since the data
throughput
may be the lowest for such an interface.
[0028]In other embodiments, the interface priority may be determined based on
other
criteria, including the application requiring the interface, security of the
interface, among
other factors, as described below.
[0029]In accordance with the above, when a computing device needs to establish
a
network connection such as a VPN connection, the device may refer to an
internal
interface status list, which presents a prioritized list of possible
interfaces capable of
being used to establish a VPN connection. The interface status list may
provide a quick
reference to determine which interface is capable of providing the VPN
connection. The
existence of the interface status list may provide for the abstraction of the
interface
status information from other sources and filters other unneeded interface
status
information.
[0030]For example, reference is now made to Figure 2. Figure 2 shows an
example
interface status list in accordance with one embodiment of the present
disclosure. In
particular, in Figure 2, an ordered list 200 is created based on the
principles of Table 1
and Table 2 above, the ordered list showing which interfaces are currently
available in a
priority order as well as other interfaces which may not be currently
available.
[0031]In Figure 2, a first line 210 in the interface list provides a home Wi-
Fi interface
that is currently available for VPN connection.
[0032]Similarly, line 212 showing a first cellular interface and line 214
showing a
second cellular interface, indicate both are accessible from a mobile device
and can
both be used for VPN connections. Also, the mobile device is currently
tethered and the
VPN could use the tethered interface as well, as shown by line 216.
[0033]Based on the above, lines 210, 212, 214 and 216 provide for interfaces
that are
available to a device for a VPN in the example of Figure 2, as well as an
ordering for
the interfaces.
8
CA 02805235 2013-02-07
[0034] In some embodiments, the first time a connection is established over an
interface, the interface may be added to list 200. The interface may then be
determined
to be available for VPN or not. Thus, for example, a work Wi-Fi line 220 is
provided
within list 200. However, the work Wi-Fi interface is not currently available
to the mobile
device (for example, the mobile device may be out of range of the work Wi-Fi
interface),
and thus the availability is shown as a "No" in list 200.
[0035]Similarly, if the user occasionally goes to school and connects to a
school Wi-Fi
network, the school Wi-Fi network, as shown in line 222 may also be sometimes
available for VPN connectivity. Again, this network is not available at the
moment in the
example of Figure 2.
[0036]In some embodiments, interfaces within list 200 will be maintained for a
certain
time. For example, if the user does not connect to a certain network interface
for one
month, then the item may be removed from the list of interfaces.
[0037]Thus, in accordance with Figure 2, a prioritized list may be maintained
by a
device for VPN connectivity.
[0038] Reference is now made to Figure 3, which shows an exemplary process
diagram
for a VPN connection. In particular, the process for Figure 3 starts at block
300 and
proceeds to block 310 in which a VPN connection is initiated. The initiation
of the VPN
connection at block 310 could be done based on a selection of a VPN connection
through a user interface or could be automatic, for example when a device
boots up,
among other initiation times.
[0039] In the initiation at block 310, it is assumed that no network interface
is specified
for the VPN connection. In this case the process then proceeds to block 312 in
which
the device selects the highest priority interface from the available
interfaces in the
interface selection list 200.
9
CA 02805235 2013-02-07
[0040]The process then proceeds to block 314 in which a VPN connection is
,
established over the interface selected at block 312. The process then
proceeds to
block 320 and ends.
[0041] In alternative embodiments, instead of selecting the highest priority
interface at
block 312, a user interface could be provided which provides an ordered list
of
interfaces that could be used for the VPN connection. In this case, a prompt
could be
provided to a user to select the interface to use, with the highest priority
interface being
the default interface in one example.
[0042]The interface list of Figure 2 may be updated by checking whether each
interface is VPN friendly. In particular, reference is now made to Figure 4.
[0043]The process of Figure 4 starts at block 400 and proceeds to block 410 in
which
the next interface is selected. At the first instance of block 410, a first
interface may be
selected.
[0044]Once an interface is selected, the process proceeds to block 412 in
which a
check is made to determine whether the interface is new or has previously been
processed. If the interface is not new, the process proceeds back to block 410
to
choose the next interface.
[0045] If the interface is new, the process proceeds from block 412 to block
422 in which
a check is made to determine whether the interface is VPN friendly. As
indicated above,
this may involve, for example, ensuring the interface is not virtual and can
support IP
connectivity.
[0046] If the interface is not VPN friendly, the process proceeds from block
422 back to
block 410 to choose the next interface.
CA 02805235 2013-02-07
[0047] If the interface is VPN friendly, the process proceeds from block 422
to block 424
in which the interface is added to the interface table. The process then
proceeds back
to block 410.
[0048] Further, the interface list of Figure 2 may be kept up to date through
the
checking of the various interfaces to determine whether the interface has gone
up or
down or has maintained its availability status. In particular, reference is
now made to
Figure 5.
[0049]The process of Figure 5 starts at block 500 and proceeds to block 510.
At block
510, the process selects the next interface on the interface list or table. At
the first
instance of block 510 a first interface may be selected.
[00501 The process then proceeds to block 512 to determine whether the
interface that
was selected has become available when compared to the previous status of the
interface. If yes, the process then proceeds to block 520 in which the
interface is made
available for VPN connections.
[0051]From block 512, if the interface has not recently become available, the
process
proceeds to block 530 in which a check is made to determine whether or not the
interface has gone down. If not, the process proceeds back to block 510 in
which the
next interface is selected.
[0052] if the interface has gone down, the process proceeds to block 540 in
which a
check is made to determine whether there was an active VPN connection on that
interface. If not, the process proceeds from block 540 to block 544, in which
the
interface is made unavailable for VPN connections, and then to block 510 to
select the
next available interface.
[0053] From block 540, if a VPN connection is active on the interface that is
no longer
available, the process proceeds to block 542 in which the VPN status is
cleaned up. In
11
CA 02805235 2013-02-07
this case, the VPN connection may be dropped and an internal VPN state may be
adjusted accordingly.
[0054] From block 542 the process proceeds to block 510 in which the next
interface is
selected.
(0055] At block 510, if there are no more interfaces available in the table,
the process
may again select the first interface and process repeats itself.
(0056] Based on the process diagram of Figures 4 and 5, the interface status
and
availability for VPN connections can be maintained for the interface status
list.
(0057] In addition to the embodiments of Figures 2 to 5 above, in some
embodiments,
a network connection may be associated with a network connection profile. An
interface may be associated with one or more network connection profiles. As
used
herein, a network connection profile defines various parameters that may be
used to
connect to a network element, and may include, for example, any combination of
a
connection method, interface, user credentials, network element server names,
and
other details that allow a mobile device client or application to connect and
authenticate
with the network element.
[0058] In particular, while the list 200 of Figure 2 provides for interfaces
and whether
they are available for VPN connection, a particular network connection profile
may limit
the type of interface that may be used. For example, a VPN may have a network
connection profile which specifies that the connection must be made over a
cellular
interface. In other examples, the VPN connection may have a network connection
profile that indicates that connection can only utilize trusted interfaces and
a particular
subset of interfaces may be provided that are trusted.
(0059] Reference is now made to Figure 6, which shows an exemplary list 600
having
interfaces and an indication of network connection profiles that are
associated with that
interface.
12
CA 02805235 2013-02-07
[0060]In particular, in the example of Figure 6, three exemplary network
connection
profiles are provided. A first network connection profile "A" may be utilized
to establish
a network connection for connecting certain enterprise applications to an
enterprise
VPN server. A second network connection profile "B" may be used to establish a
network connection for connecting to a user's home network VPN server. A
network
connection profile "C" may be used to establish a network connection for
connecting
one or more applications on the mobile device to a different enterprise
network VPN
server.
[0061]In the example of Figure 6, the home Wi-Fi network is only available for
network
connections associated with network connection profile B, as shown by line
610. Cell
interface 1 is available for network connections associated with network
connection
profiles A, B or C, as shown by line 612. Cell interface 2 is available for
network
connections associated with network connection profiles A or B, as shown by
line 614.
The limitation on the interface for network connections associated with a
particular
profile may be dependent on the nature of the network connection associated
with the
network connection profile. For example, the home WiFi interface may not be
considered secure enough by an enterprise, and thus profiles A and C, which
are
described above to be used for connecting to enterprise VPN servers, may not
be
allowed to use the home WiFi interface.
[0062]Further, a tethered interface is available for VPN profile B, as shown
by line 616.
A work Wi-Fi interface is available for VPN profiles A and C, as shown by line
618 and a
school Wi-Fi network is only available for VPN profile B, as shown by line
620.
[0063]Thus, for example, when an application attempts to establish a new VPN
network
connection, the network connection profile for the VPN connection can be
established
and an appropriate interface can be selected from the prioritized list of
interfaces. For
example, in one embodiment, an application on the mobile device may be a VPN
client,
which, when launched, attempts to connect to a network element to establish a
VPN
connection. The application will have access to a network connection profile
which may
provide information such as client credentials, the address of the VPN server,
interface,
13
CA 02805235 2013-02-07
among other information, to populate the connection request. Authentication
may then
occur at the VPN server before data can be passed between the mobile device
and
network element. The network connection profile may be used to determine an
appropriate interface over which to establish the VPN connection.
[0064]The lists of Figure 2 and Figure 6 could be used independently to
determine an
interface to use. In other embodiments, the lists could be combined. Reference
is now
made to Figure 7, which shows an exemplary table including the interface, the
VPN
profile as well as the availability of the interface. In this case, the list
700 can be ranked
in accordance with the interface type and the availability.
[0065] In particular, the combination of Figures 2 and 6 provides for an
interface list
700, in which line 710 provides that home Wi-Fi network is available but only
for
network connections associated with network connection profile B. Similarly,
line 712
provides that a first cellular network is available for network connections
associated with
network connection profiles A, B or C. Further, line 714 provides that a
second cellular
network is available for network connections associated with network
connection
profiles A or B.
[0066]Line 716 provides that the tethering is available but only for VPN
profile B.
[0067]Other networks, such as work Wi-Fi network shown at line 718, are
unavailable
at the moment but if it becomes available then network connections associated
with
network connection profiles A or C could connect over it. Similarly, a school
Wi-Fi
network as shown at line 720 and is currently unavailable but if it becomes
available
could be used for network connections associated with network connection
profile B.
[0068]Reference is now made to Figure 8, which shows an exemplary process for
associating a network connection profile with an interface and further shows
an
exemplary process for connecting to the highest priority interface available
in
accordance with some embodiments of the present disclosure. In particular the
process
14
CA 02805235 2013-02-07
starts at block 800 and proceeds to block 810 in which an application on the
mobile
device attempts to establish a network connection. The connection attempt of
block
810 may be based on a VPN login attempt from a user interface, an automatic
VPN
login, for example when a device powers up, among other login requests. The
connection attempt is associated with a network connection profile for the
network
connection, such as a VPN profile.
(0069] From block 810 the process proceeds to block 812 in which a check is
made to
determine whether the network connection profile associated with the
connection
attempt specifies an interface. If yes, the process proceeds to block 820 in
which the
interface and profile association are stored.
(0070] The process then proceeds from block 820 to block 822 in which the
highest
priority interface with a stored association to the profile is selected. For
example, in
some embodiments a previous connection may have been made to a higher priority
interface using the profile, and the association between that interface and
the profile
may be stored until the interface becomes unavailable. Thus, regardless of the
interface
specified at the connection attempt of block 810, the highest priority
interface with a
stored association to a network connection profile is selected.
[0071] From block 812, if the interface is not specified in the profile
associated with the
connection attempt, the process proceeds to block 830 in which the highest
priority
available interface is selected for the VPN connection.
[0072]The process then proceeds from blocks 822 or 830 to block 840 in which a
check
is made to determine whether a network connection already exists for the
profile on the
selected interface. If yes, no reconnection is required, as shown by block
852.
However, if the connection does not already exist for the profile on the
selected
interface, the process proceeds to block 850 in which a connection on the
interface
using the network connection profile is made.
CA 02805235 2013-02-07
[0073] From blocks 850 and 852 the process proceeds to block 860 and ends.
[0074]Based on the above, a transition of VPN connections between interfaces
may be
provided, for example, whenever an interface is added or dropped. In some
embodiments, stored interface associations may track previous used VPN
profiles and a
transition may be triggered on the detection of an interface going up or down.
This may
provide handoff of VPNs connections to higher priority interfaces and re-
establish VPN
connections on lower priority interfaces if the higher priority interface
drops.
[0075] In some embodiments, if an interface is available and it is unknown
whether the
interface supports the VPN connection or not, a VPN connection may be
attempted over
the interface if it is a higher priority interface than the interface
currently used for VPN
connections. In this way, new, higher priority interfaces may be checked to
determine
whether or not the VPN connection should be established over those higher
priority
interfaces.
[0076] In certain situations, a dual or plural mode of operation may exist for
a mobile
device, where the mobile device may run certain applications and access
certain data in
one portion that is not accessible or cannot be run in a second portion. Such
modes of
operation are described as "perimeters" herein. For example, a work perimeter
may be
used for enterprise applications and data, and a personal perimeter may be
used for
personal applications and data. The perimeter of the application that wants a
network
connection may determine which network connection profile and consequently
which
interface may be used to establish the VPN connection, as described below.
[0077] Reference is now made to Figure 9, which shows an exemplary block
diagram of
the memory 910 of a mobile device. The memory is configured to store
applications
and application data, such combination of stored applications and data being
referred to
herein as an application space. The memory 910 is divided, either physically
or
logically, into two perimeters, which represent a personal perimeter 920 and a
corporate
perimeter 930 in the example of Figure 9.
16
CA 02805235 2013-02-07
[0078]Corporate perimeter 930 may comprise a portion of memory on the mobile
device segregated for data, applications, or both, which may be considered
sensitive to
a business, corporation, enterprise, government, non-profit organization, a
user of the
device or any other entity setting an information technology policy for the
computing
device.
[0079] Personal perimeter 920 may comprise a portion of memory segregated for
personal applications and data, where personal applications or data may be
considered
outside of or separate from an information technology policy.
[0080]Within personal perimeter 920, a plurality of applications 922 can
communicate
with data 924 that is considered to be personal data.
[0081]Similarly, in corporate perimeter 930, a plurality of corporate
applications 932
communicate with corporate data 934.
[0082]By segregating corporate applications from personal applications and
data
associated with each, corporate IT policies can be implemented on the device
for the
corporate data, thereby protecting the data, while still allowing for personal
applications
and personal data on the device. This may provide for more flexibility for a
user and a
better user experience.
[0083]Operating system 940 enforces the segregation of the data as described
in more
detail below.
[0084]The designation of each application as either a personal application or
a
corporate application may be done in several ways. In one embodiment, a
corporate IT
policy can be set for the loading of applications onto the device, where
certain specified
applications are designated by the IT policy to be corporate applications.
Other
applications that are not within the list of corporate applications could be
considered, by
default, to be personal applications. In other embodiments, a user,
administrator,
carrier or other entity can use a configuration program or a navigation entity
(application
17
CA 02805235 2013-02-07
launcher) to designate the various applications on the device as personal or
corporate
applications. Further, signatures applied to applications could also be used
for the
designation. Other examples of the designation of applications as corporate
and
personal would be apparent to those skilled in the art having the benefit of
the present
disclosure.
[0085] In further embodiments, hybrid applications that might have both
personal and
corporate uses could be duplicated between the corporate perimeter 930 and the
personal perimeter 920. In this way, if a user wants to use a particular
application for
personal reasons, the user could open the application 922 in the personal
perimeter.
Conversely, if the user wants to use the same application for corporate
purposes, the
user could open the application 932 in corporate perimeter 930.
[0086]Thus, for example, a Documents To G0TM document editor could be provided
for
both the personal space and the corporate space, thereby allowing the editing
of both
personal documents and corporate documents, while maintaining security for
corporate
data.
[0087] In one embodiment, corporate applications 932 could be provided with
additional
security over personal applications. For example, before a corporate
application 932
could be launched, the user may need to enter a password. Further, inactivity
timers
could be implemented to lock corporate applications after a period of
inactivity while
leaving personal applications unlocked. A locked application may require a
user to
initially enter a password to unlock the application and interact with and
access data
from the application.
[0088]The designation of the application may further limit what data that
application has
access to. Thus, for example, corporate applications may run in their own mode
where
any data that they write can never be accessed by the personal application.
The
limitation would be that personal applications 922 are not able to read
corporate data
934, nor is a corporate application capable of writing to personal data 924.
18
CA 02805235 2013-02-07
[0089]Similarly, a personal application may not be able to write to corporate
data 934.
In some embodiments, corporate applications 932 may not be able to read
personal
data 924. In other embodiments, corporate applications 932 may be able to read
personal data 924.
L0090] Corporate data 934 may be encrypted for security. Such encryption and
the
storing of encryption keys would be known to those in the art having the
benefit of the
present disclosure.
[0091]Corporate data may also have date of deletion policies in effect on the
mobile
device. Thus, if corporate data is not accessed within a certain time period,
it could be
wiped out pursuant to a corporate data reaping timeline. For example, if data
is not
accessed on the mobile or computing device for seven days, the data may be
deleted
from the mobile device. The user would then need to download the data again if
it was
required for the mobile device. This may be implemented through tags or data
tables
associated with the data.
[0092]The operating system 940 can enforce the above differentiating rules
between
corporate perimeter 930 and personal perimeter 920. For example, operating
system
940 may implement data access for the various applications 922 and 932, where
each
application is given a group permission, similar to UNIX group permissions. In
other
embodiments, other user permissions or other permission systems may also be
used.
Data is further designated in files that allow access by certain groups. Thus,
operating
system 940 may allow corporate data 934 to be accessed only by applications
932 that
have group permissions to access such data. Similarly, personal data 924 may
be
written to or read only by applications 922 based on the group permissions of
application 922 with regard to data 924. Applications 932 however do not have
group
permissions to write to data 924 in one embodiment, as enforced by operating
system
940.
[0093]Access to the data may be maintained for other data functionalities to
prevent
corporate data from being accessed in the personal mode. For example, copy or
cut
19
CA 02805235 2013-02-07
functionality may be managed between the personal mode and corporate mode.
Potentially, no cutting or copying would be allowed in the corporate mode of
operation
by corporate applications 932.
[0094] In other embodiments, cutting and copying may be allowed between
corporate
applications but may be restricted when trying to paste outside corporate
mode. As will
be appreciated, this could again be managed by UNIX group permission type
model
using operating system 940. When cutting or copying various text or images, or
other
data, a new data file is created which could have group permissions that would
restrict
where the pasting of that file is allowed to occur. Thus, when using a
personal
application, if trying to paste corporate data, an error might be returned, or
the paste
operation may simply not function.
[0095] In one embodiment, corporate data 934 may be provided to a device based
on a
secure connection with the corporate network. For example, this may be done
through
a virtual private network or other secure connection to an enterprise server.
[0096] Further, in one embodiment, the memory 910 may be located on a mobile
device. In this case, the mobile device may have a pre-established secure
connection
with an enterprise server.
[0097]1n some embodiments, a particular device may be considered to not be
secure,
but may be connected to a secure (IT Trusted) device. Reference is now made to
Figure 10.
[0098] In Figure 10, the secure device is mobile device 1005. However, this is
merely
an example and other possibilities for secure mobile devices exist.
[0099]The unsecured computing device is computing device 1000.
[00100] In order to run corporate data on computing device 1000, a client
1010
may be provided on the computing device 1000. Client 1010 communicates with a
server 1020 on the secure mobile device 1005 to obtain corporate data.
CA 02805235 2013-02-07
[00101] Further, the computing device 1000 may include memory 1030, which
has
a corporate space 1034 for storing corporate applications that may be run on
computing
device 1000. Computing device 1000 may also have a personal perimeter 1032
within
memory 1030.
[00102] As seen in the example of Figure 10, the personal perimeter
contains
applications 1032 which may access data 1036. However, in some embodiments no
similar data exists for corporate applications 1034.
[00103] In an alternative embodiment, corporate perimeter 1034 could have
data
1038 which could be regulated by the same corporate policies as data 1048 on
mobile
device 1005. Thus, data 1038 would be subject to access restrictions to
corporate
applications, garbage collection, restrictions on copying or cutting, among
the other
restrictions provided above. The client 1010 could provide this functionality.
[00104] On mobile device 1005 the divided modes are similarly provided. In
particular, memory 1040 contains personal applications 1042 and corporate
applications
1044. This is similar to the embodiments described above with regard to Figure
9.
[00105] Each of personal application perimeter 1032 and corporate
application
perimeter 1034 has access to a separate data area, namely data 1046 for
personal
applications 1042 and data 1048 for corporate applications 1044. In this way,
data
1048 cannot be accessed by personal applications 1042.
[00106] In an alternative embodiment, mobile device 1005 may be considered
to
be a corporate device. In this case, application perimeter 1040 would only
have
corporate applications 1044 and corporate data 1048. Thus, all information
stored on
mobile device 1005 would be considered to be corporate data, and be accessible
only
by corporate applications 1034.
21
CA 02805235 2013-02-07
[00107] In order to provide security, a user of computing device 1005 may
start an
application as a corporate application 1034. As indicated above, a password
may be
required to start such applications.
[00108] Client 1010 recognizes that a corporate application 1034 is
running and
can communicate with server 1020 to indicate that corporate data can be
provided. In
this way server 1020 can access the corporate data that is either in data
storage 1048
or the corporate data can be obtained from an enterprise server.
[00109] Further, corporate applications 1044 do not necessarily have to be
the
same as corporate applications 1034. For example, with a larger display,
computing
device 1054 may be able to run different applications or variations of
applications 1044.
The corporate data 1048 may be the same between the two sets of applications,
but
could be displayed to the user or used by corporate applications 1034
differently than
the data 1048 would be used on mobile device 1010.
[00110] The corporate data may then be provided over a connection 1060
between mobile device 1005 and computing device 1000. Connection 1060 may
comprise any short or long range wired or wireless connection, and examples of
such
connections include BluetoothTM, USB, Infrared Data Assn (IrDA), Wi-Fi, Radio-
frequency identification (RFID), Near Field Communication (NFC) connections,
among
others.
[00111] Communication over link 1060 can be secure. That is, corporate
data that
is passed to computing device 1000 or back to mobile device 1005 may be
encrypted
using a key known to both computing device 1000 and mobile device 1005.
[00112] Further, in one embodiment any data that is stored is encrypted.
In this
case, the encryption key for the stored data may be stored on mobile device
1005, thus
necessitating the connection in order to decrypt the data on the computing
device 1000.
[00113] Further, it may be a policy that the data is not stored on
computing device
1000. Thus, except for some possible caching, corporate data will not be
stored on
22
CA 02805235 2013-02-07
device 1000. Further, client 1010 can ensure that the cache is cleared prior
to the
corporate application shutting down.
[00114] While the above is described with regard to a corporate
(enterprise) and a
personal perimeters, the number of modes or spaces for applications can be
further
refined. For example, a corporation may consider sales and other information
to be
more sensitive than employee information. In this regard, sales and such
information
may be given a separate category from employee information and may be provided
with
different data storage and segregation, different passwords for the
applications that run
and display sales information, among other factors. In this case, three modes
would
exist ¨ personal, corporate employees, and corporate sales.
[00115] Further, the above could be expanded to have a plurality of
different
modes or application spaces with each one being separated and access to each
of the
plurality of application spaces and the data associated therewith governed by
the
operating system. The present disclosure is not meant to be limited to any
particular
number of modes.
[00116] In addition to separating data and applications, in one embodiment
of the
present disclosure, connection profile data can also be separated. Reference
is now
made to Figure 11.
[00117] Figure 11 shows a device 1110 having a personal perimeter space
1120
and a work (enterprise) perimeter space 1130. The example of Figure 11 is
merely
meant to be an example and other divisions or different perimeters are
possible.
[00118] In personal perimeter 1120, a personal application 1122 is
running. The
personal application 1122 may gain access to the Internet through IP stack
1124
utilizing a personal routing domain 1126.
[00119] A physical interface 1160 is then used in order to access internet
1180.
Physical interface 1160 may be, in accordance with the above, Wi-Fi, cellular
network,
tethering, among others.
23
CA 02805235 2013-02-07
[00120] Similarly, work perimeter 1130 includes the work application 1132
that
accesses a corporate network 1170 through one of two routes. In a first route,
network
access control may be utilized through a mobile data service 1134. Mobile data
service
(MDS) 1134 provides hypertext transfer protocol or hypertext transfer protocol
secure
(HTTP/HTTPS) connectivity and also provides an open, extensible and secure
interface
for extending corporate applications and corporate intranet standards.
[00121] MDS 1134, or alternatively work application 1132, may access VPN
1136.
VPN uses IP stack 1124, and in particular work routing domain 1138, to access
the
corporate network 1170 utilizing physical interface 1160.
[00122] In an alternative embodiment, instead of accessing the internet or
corporate network indirectly through a physical interface, a bridge may be
established
between a device and a second device where the second device has access to
networks, as described with regard to Figure 10 above.
[00123] Reference is now made to Figure 12 in which a device 1210 includes
a
personal perimeter 1220 and a work perimeter 1230.
[00124] In personal perimeter 1220, personal application 1222 accesses an
Internet service bridge 1224 to access the internet. In particular, Internet
service bridge
1224 provides connectivity through the tethered device to the internet.
[00125] Internet service bridge 1224 communicates through IF stack 1226,
which
includes a personal routing domain 1228. The IP stack utilizes a physical
interface
1240 which includes tethering to the device. Tethering can be, for example,
through a
wired serial connection such as USB or may be through a wireless short range
connection such as Bluetooth, Infrared Data Association (IrDa), Near Field
Communications (NFC), among others.
[00126] Physical interface 1240 may then be used to access the Internet
1260.
24
CA 02805235 2013-02-07
[00127] Similarly, in work perimeter 1230, a work application 1232
accesses an
enterprise service through a bridge, shown by reference numeral 1234.
[00128] The enterprise service bridge 1234 accesses the IP stack and
specifically
a work routing domain 1236 which may then connect through the physical
interface
1240 to a corporate network 1270.
[00129] In accordance with the above, applications and data are separated
based on mode of operation (perimeter) type. In this case, the profile data
for network
connectivity, including Wi-Fi or VPN, may also be handled separately based on
mode of
operation type.
[00130] In accordance with one embodiment of the present disclosure,
various
network connections are specified as belonging to a mode of operation, and
thus the
corresponding profiles for the network connections are stored and protected
within the
appropriate mode of operation file system location.
[00131] For example, when utilizing the personal versus enterprise mode of
operation discussed above with reference to Figures 11 and 12, various Wi-Fi
or VPN
connections may be classified as either personal or corporate Wi-Fi or VPN
connections. The designation of the connection may be made at the device. For
example, if a user provisions a connection by creating a connection profile,
this may be
considered to be a personal connection. On the other hand, if a connection is
provisioned to the device based on an information technology policy at an
enterprise
server, for example by providing the device with a connection profile, this
may be
considered to be an enterprise connection. In some cases, personal connections
may
be migrated to enterprise connections through communication with the
enterprise
server. Other ways of designating a connection as personal or enterprise are
also
possible.
[00132] Once a connection is designated personal or enterprise, data for
the
connection, including the connection profile, and in some cases credentials or
CA 02805235 2013-02-07
certificates, may be stored in the appropriate file system. Thus, referring to
Figure 9
above, the data portions for an enterprise connection will be stored in data
storage 934.
Similarly, data for personal profiles will be stored in data portions 924.
[00133] The separation of the network connection to personal versus
enterprise
may be then utilized for data and application access based on the type of data
or
application. Thus, an enterprise application may run and require connectivity
over a
connection that is designated as an enterprise connection. This forces work
traffic to
the highest security setting. Conversely, in some instances personal traffic
can utilize
personal connections. In some cases, personal traffic may also utilize work
connections
to access the Internet, since the security is simply higher than is required
to be.
However, the work applications will typically not access the corporate network
through a
personal connection since the security may not be at a level required by the
work
application.
[00134] In a further embodiment, the wiping of the network profile may
also be
accomplished based on the designation of the network connection. If, for
example, an
enterprise server bridge 1234, as seen in Figure 12, is lost, the enterprise
connections
may be wiped from the cache. This may be facilitated based on the location of
the
storage for the connection profile. Thus, the connection profile would only
exist if there
is a bridge between the second device and the first device.
[00135] In some situations, the user interface, and particularly a choice
of physical
interfaces displayed to a user, may be affected by the profile of the network
connection.
For example, when a user is attempting to establish a VPN connection within
the work
or enterprise perimeter, the user may be given a choice of physical interfaces
in which
only enterprise trusted physical interfaces may be displayed. In other
examples,
various physical interfaces displayed to the user may be grayed out if they
are
unavailable to the enterprise server. Other possibilities also exist.
[00136] For data associated with a work perimeter, the backup and restore
functionality may also be restricted. In particular, the work data may not be
backed up
26
CA 02805235 2013-02-07
or stored in some cases. This may be done for security reasons and thus the
classification of a profile as an enterprise connection would prevent the
backup or
restore from occurring.
[00137] Backup and restore or wiping functionality may be accomplished,
for
example, based on a file system, wherein profiles for enterprise connections
are placed
into enterprise subdirectories and profiles for non-enterprise connections are
placed into
personal directories. When a backup/restore functionality occurs, enterprise
designated
subdirectories may be skipped in one embodiment.
[00138] Reference is now made to Figure 13. The process of Figure 13
starts at
block 1300 and proceeds to block 1310. At block 1310, a network connection
profile is
associated with at least one mode of operation. Thus, for example, a specific
VPN
profile may be considered to be an enterprise VPN profile, such as VPN
profiles "A" and
"C" from above, and stored within a work perimeter. Similarly, other profiles
may be
considered to be personal profiles, such as VPN profile "B" from above, stored
in the
personal perimeter. Other examples are possible.
[00139] From block 1310 the process proceeds to block 1312 in which access
to
each network connection is restricted to thoseof applications with the same
mode of
operation as the network connection profile associated with the network
connnection.
Therefore, as described above, a work application may only have access to
profiles that
are trusted by an enterprise in one embodiment. Other examples are possible.
[00140] From block 1312 the process proceeds to block 1320 and ends.
[00141] An example system architecture capable of being used with the
above
embodiments is shown with regard to Figure 14. The architecture of Figure 14
is
however not meant to be limiting and other system architectures are possible.
27
CA 02805235 2013-02-07
[00142] Reference is now made to Figure 14, which shows a block diagram of
an
example wireless data network in accordance with the present disclosure and
with
which the various embodiments of the methods of the instant disclosure may
cooperate.
Figure 14 shows a block diagram of a mobile device 1410 and example Code
Division
Multiple Access (CDMA) lx network 1420, an example Evolution Data Only (EVDO)
network 1430, a public switched telephone network (PSTN) 1435, a data network
1440,
wireless gateway 1442 and enterprise server 1444. This is shown merely as an
example, and other network architectures, such as Global System for Mobile
(GSM),
GSM Packet Radio Service (GPRS), Universal Mobile Telecommunications Service
(UMTS), Long Term Evolution (LTE), LIE Advanced (LTE-A), High Speed Downlink
Packet Access (HSDPA), Wi-Fi, WiMAX, among others, are possible.
[00143] The mobile device 1410 may comprise a two-way communication device
having data and voice communication capabilities. Figure 14 further shows an
access
point 1470 for use with an alternative data connection such as a Wi-Fi or
WiMAX
connection.
[00144] CDMA network 1420 is comprised of a base transceiver station (BTS)
1422 and a base station controller (BSC) 1424. Base station controller 1424
communicates with a mobile switching centre 1426 which, as will be
appreciated, is a
circuit switched only component communicating with PSTN 1435. Base station
controller 1424 further communicates with a packet data serving node (PDSN)
1428
which is a packet switched only component. PDSN 1428 further communicates with
IP
network 1440.
[00145] EVDO network 1430 contains an EVDO sector 1432 which communicates
with access node (AN) 1434. Since the EVDO network 1430 is a data only
network,
access node 1434 communicates only with PDSN 1428 and not with any circuit
switch
components.
[00146] An authentication, authorization and accounting node 1436 is
associated
with AN 1434, and a similar node 1429 is associated with PDSN 1428.
28
CA 02805235 2013-02-07
[00147] Operationally, mobile device 1410 communicates wirelessly with
CDMA
network 1420 using BTS 1422 and BSC 1424 to gain access to the CDMA lx
network.
[00148] Mobile device 1410 sends and receives both data and voice services
through CDMA network 1420 until an EVDO network connection with established,
at
which point data can be transmitted over the EVDO network connection.
[00149] Further, mobile device 1410 can be connected to a computing device
1454 such as a tablet for a variety of reasons, some of which are provided
above. The
connection may be through various means such as a Universal Serial Bus (USB)
or
other serial port, or by short range wireless communications with a computing
device
1454. Computing device 1454 can then gain access to data network 1440 and to
enterprise server 1444 through EVDO network 1430 or CDMA network 1420 using
mobile device 1410. In other embodiments, computing device 1454 may also be
capable of accessing networks 1420, 1430 or 1470 directly.
[00150] Mobile device 1410 may further have capabilities to communicate
through
access point 1470 using, for example, Wi-Fi. Access point 1470 connects to a
data
network 1440 and thus access to wireless gateway 1442 and enterprise server
1444 are
possible through access point 1470
[00151] In one embodiment, enterprise server 1444 could provide both the
IT
policies for the mobile device 1410 and also provide access to a permanent
store of the
corporate data which can be accessed by mobile device 1410.
[00152] The embodiment of Figure 14 is merely an example and other network
architectures are possible for mobile device 1410 to connect to enterprise
server 1444.
The embodiment of Figure 14 is not meant to be limiting to any particular
network
architecture.
[00153] Further, mobile device 1410 may not be a dual mode or multi-mode
device
that allows connection to Wi-Fi. In this case, the Wi-Fi connection to access
point 1470
29
CA 02805235 2013-02-07
would be removed from the embodiment of Figure 14 and all communication may
proceed over the cellular network through the base station 1422 or 1432. In
other
embodiments, mobile device 1410 may only have access through an access point
1470
and thus the cellular network would be removed from Figure 14. Other
possibilities
would be apparent to those skilled in the art having the benefit of the
present disclosure.
[00154] Computing device 1454, may, in some embodiments, comprise a
personal
computing device. For example, computing device 1454 may comprise a tablet
computer. The user may further wish to use computing device 1454 for corporate
functions. However, for security reasons, the corporate IT department may not
consider
the computing device 1454 to be a secure destination for data, since it is a
personal
device.
[00155] The device of Figure 1 could be a mobile device. One such example
mobile device is illustrated below with reference to Figure 15. The mobile
device of
Figure 15 is however not meant to be limiting and other mobile devices could
also be
used.
[00156] Mobile device 1500 may comprise a two-way wireless communication
device having any of voice capabilities, data communication capabilities, or
both.
Mobile device 1500 generally has the capability to communicate with other
devices or
computer systems. Depending on the exact functionality provided, the mobile
device
may be referred to as a data messaging device, a two-way pager, a wireless e-
mail
device, a cellular telephone with data messaging capabilities, a wireless
Internet
appliance, a wireless device, a user equipment, a tablet, or a data
communication
device, as examples.
[00157] Where mobile device 1500 is enabled for two-way communication, it
may
incorporate a communication subsystem 1511, including both a receiver 1512 and
a
transmitter 1514, as well as associated components such as one or more antenna
elements 1516 and 1518, local oscillators (L0s) 1513, and a processing module
such
as a digital signal processor (DSP) 1520. As will be apparent to those skilled
in the field
CA 02805235 2013-02-07
of communications, the particular design of the communication subsystem 1511
will be
dependent upon the communication network in which the device is intended to
operate.
[00158] Network access requirements will also vary depending upon the type
of
network 1519. In some networks, network access is associated with a subscriber
or
user of mobile device 1500. A mobile device may require a removable user
identity
module (RUIM) or a subscriber identity module (SIM) card in order to operate
on the
network. The SIM/RUIM interface 1544 may be similar to a card-slot into which
a
SIM/RUIM card can be inserted and ejected like a diskette or PCMCIA card. The
SIM/RUIM card can have memory and hold many key configuration 1551, and other
information 1553 such as identification, and subscriber related information.
[00159] When required network registration or activation procedures have
been
completed, mobile device 1500 may send and receive communication signals over
the
network 1519. As illustrated in Figure 15, network 1519 can consist of
multiple base
stations communicating with the mobile device. For example, in a hybrid CDMA
'Ix
EVDO system, a CDMA base station and an EVDO base station communicate with the
mobile station and the mobile device is connected to both simultaneously. In
other
systems such as Long Term Evolution (LTE) or Long Term Evolution Advanced (LTE-
A), multiple base stations may be connected to for increased data throughput.
Other
systems such as GSM, GPRS, UMTS, HSDPA, among others are possible and the
present disclosure is not limited to any particular cellular technology.
[00160] Signals received by antenna 1516 through communication network
1519
are input to receiver 1512, which may perform such common receiver functions
as
signal amplification, frequency down conversion, filtering, channel selection
and the like,
and in the example system shown in Figure 15, analog to digital (ND)
conversion. ND
conversion of a received signal allows more complex communication functions
such as
demodulation and decoding to be performed in the DSP 1520. In a similar
manner,
signals to be transmitted are processed, including modulation and encoding for
example, by DSP 1520 and input to transmitter 1514 for digital to analog
conversion,
frequency up conversion, filtering, amplification and transmission over the
31
CA 02805235 2013-02-07
communication network 1519 via antenna 1518. DSP 1520 .not only processes
communication signals, but also provides for receiver and transmitter control.
For
example, the gains applied to communication signals in receiver 1512 and
transmitter
1514 may be adaptively controlled through automatic gain control algorithms
implemented in DSP 1520.
[00161] Mobile device 1500 generally includes a processor 1538 which
controls
the overall operation of the device. Communication functions, including data
and voice
communications, are performed through communication subsystem 1511. Processor
1538 also interacts with further device subsystems such as the display 1522,
flash
memory 1524, random access memory (RAM) 1526, auxiliary input/output (I/O)
subsystems 1528, serial port 1530, one or more keyboards or keypads 1532,
speaker
1534, microphone 1456, other communication subsystem 1540 such as a short-
range
communications subsystem and any other device subsystems generally designated
as
1542. Serial port 1530 could include a USB port or other port known to those
in the art
having the benefit of the present disclosure.
[00162] Some of the subsystems shown in Figure 15 perform communication-
related functions, whereas other subsystems may provide "resident" or on-
device
functions. Notably, some subsystems, such as keyboard 1532 and display 1522,
for
example, may be used for both communication-related functions, such as
entering a
text message for transmission over a communication network, and device-
resident
functions such as a calculator or task list, among other applications.
[00163] Operating system software used by the processor 1538 may be stored
in
a persistent store such as flash memory 1524, which may instead be a read-only
memory (ROM) or similar storage element (not shown). Those skilled in the art
will
appreciate that the operating system, specific device applications, or parts
thereof, may
be temporarily loaded into a volatile memory such as RAM 1526. Received
communication signals may also be stored in RAM 1526.
32
CA 02805235 2013-02-07
[00164] As shown, flash memory 1524 can be segregated into different areas
for
both computer programs 1558 and program data storage 1550, 1552, 1554 and
1556.
These different storage types indicate that each program can allocate a
portion of flash
memory 1524 for their own data storage requirements. The applications may be
segregated based on the mode or category they fall into. Memory 1524 may
further
provide security for corporate data and if some applications are locked while
others are
not.
[00165] Processor 1538, in addition to its operating system functions, may
enable
execution of software applications on the mobile device. A predetermined set
of
applications that control basic operations, including data or voice
communication
applications for example, as well as a predetermined set of certificates, will
normally be
installed on mobile device 1500 during manufacturing. Other applications could
be
installed subsequently or dynamically.
[00166] Applications and software, such as those described above may be
stored
on any computer readable storage medium. The computer readable storage medium
may be a tangible or intransitory/non-transitory medium such as optical (e.g.,
CD, DVD,
etc.), magnetic (e.g., tape) or other memory known in the art.
[00167] One example software application may be a personal information
manager (PIM) application having the ability to organize and manage data items
relating
to the user of the mobile device such as, but not limited to, e-mail, calendar
events,
voice mails, appointments, and task items. Further applications, including,
but not
limited to, a media player, camera, messenger, mail, calendar, address book,
web
browser, social networking, game, electronic book reader, map, or other
application
may also be loaded onto the mobile device 1500 through the network 1519, an
auxiliary
I/O subsystem 1528, serial port 1530, short-range communications subsystem
1540 or
any other suitable subsystem 1542, and installed by a user in the RAM 1526 or
a non-
volatile store (not shown) for execution by the processor 1538. Such
flexibility in
application installation increases the functionality of the device and may
provide
enhanced on-device functions, communication-related functions, or both. For
example,
33
CA 02805235 2013-02-07
secure communication applications may enable electronic commerce functions and
other such financial transactions to be performed using the mobile device
1500.
[00168] In a data communication mode, a received signal such as a text
message
or web page download will be processed by the communication subsystem 1511 and
input to the processor 1538, which may further process the received signal for
output to
the display 1522, or alternatively to an auxiliary I/O device 1528.
[00169] A user of mobile device 1500 may also compose data items such as
email
messages for example, using a keyboard 1532, which may comprise a virtual or
physical keyboard or both, and may include a complete alphanumeric keyboard or
telephone-type keypad, among others, in conjunction with the display 1522 and
possibly
an auxiliary I/O device 1528. Such composed items may then be transmitted over
a
communication network through the communication subsystem 1511.
[00170] For voice communications, overall operation of mobile device 1500
is
similar, except that received signals would typically be output to one or more
speakers
1534 and signals for transmission would be generated by a microphone 1536.
Alternative voice or audio I/O subsystems, such as a voice message recording
subsystem, may also be implemented on mobile device 1500. Although voice or
audio
signal output may be accomplished primarily through the one or more speakers
1534,
display 1522 may also be used to provide an indication of the identity of a
calling party,
the duration of a voice call, or other voice call related information for
example.
[00171] Serial port 1530 in Figure 15 would normally be implemented in a
personal digital assistant (PDA)-type mobile device for which synchronization
with a
user's desktop computer (not shown) may be desirable, but is an optional
device
component. Such a port 1530 would enable a user to set preferences through an
external device or software application and would extend the capabilities of
mobile
device 1500 by providing for information or software downloads to mobile
device 1500
other than through a wireless communication network. The alternate download
path
may for example be used to load an encryption key onto the device through a
direct and
34
CA 02805235 2013-02-07
thus reliable and trusted connection to thereby enable secure device
communication.
As will be appreciated by those skilled in the art, serial port 1530 can
further be used to
connect the mobile device to a computer to act as a modem.
[00172] Other communications subsystems 1540, such as a short-range
communications subsystem, are further optional components which may provide
for
communication between mobile device 1500 and different systems or devices,
which
need not necessarily be similar devices. For example, the subsystem 1540 may
include
an infrared device and associated circuits and components, near field
communications
(NFC) or a BluetoothTM communication module to provide for communication with
similarly enabled systems and devices.
[00173] The embodiments described herein are examples of structures,
systems
or methods having elements corresponding to elements of the techniques of this
application. This written description may enable those skilled in the art to
make and use
embodiments having alternative elements that likewise correspond to the
elements of
the techniques of this application. The intended scope of the techniques of
this
application thus includes other structures, systems or methods that do not
differ from
the techniques of this application as described herein, and further includes
other
structures, systems or methods with insubstantial differences from the
techniques of this
application as described herein.
