TECHNICAL FIELD

[0001] The aspects of the present disclosure relate generally to mobile computing devices and more particularly to security mechanisms used in mobile computing devices. BACKGROUND

[0002] Software applications designed for modem mobile computing apparatus are often configured as a set of activity oriented services rather than standalone applications or software programs. Popular mobile operating systems or application frameworks, such as ANDROID, IOS, or WINDOWS, provide rich inter-process communication (IPC) mechanisms to seamlessly integrate these activity oriented applications into a single unified user experience.

[0003] Open standards and well documented computing platforms yield many different software applications developed by many different sources. The device manufacturer and/or distributor will no longer have control over all software applications at all the times. To mitigate risks posed by software applications originating from unknown and often untmsted sources, various Interprocess Communication, IPC, mechanisms can be included in the software operating platform. Certain IPC messages trigger a user prompt asking the user to grant permission or select an application to process the message. This type of permission checking may be referred to as a reference monitor and is included in some IPC mechanisms. Unfortunately users may not understand the permission being requested or view the popup windows as a nuisance.

[0004] An operating platform may seek to improve security by imposing requirements when installing software applications such as requiring any new software packages be cryptographically signed by a known authority before installing the software. However this limits the range and type of software applications available for the mobile computing device.

[0005] Alternatively, or in addition, a message firewall or message router may be used to control IPC message traffic. The ANDROID Intent Firewall is an example of a rules based message router. The rules used in a mles based message router can be complex and need to be configured with both the source and destination in mind. While it is sometimes possible to automate updates, someone still needs to evaluate every application and design mles that match the needs of the application and security policies. This can be an expensive and time consuming process.

[0006] With the ever increasing number of applications and growth of new and sophisticated security attacks the existing IPC message protections have proven to be insufficient. Sophisticated applications can exploit implementation flaws to gain access to privileged services and breach system security. Malicious applications are becoming increasingly sophisticated and more widely distributed. Thus it is desirable to have improved apparatus and methods for controlling and protecting IPC messaging in mobile computing apparatus. Accordingly, it would be desirable to provide methods and apparatus that address at least some of the problems identified above.

SUMMARY [0007] It is an object of the present invention to provide improved methods and apparatus adapted to provide a simplified way to manage and control inter-process communications among the many applications executing on a computing apparatus.

[0008] According to a first aspect, the above and further objects and advantages are obtained by an apparatus that includes a processor configured to execute non-transitory machine readable program instmctions. The processor is configured to associate a sending application with a first security category and associate a receiving application with a second security category. The processor is configured to receive, in a message router an inter process message from the sending application, wherein the inter-process message includes an indication of the sending application and the receiving application. The processor determines a permission for the inter-process message based on the first security category and the second security category. When the permission is granted, the processor forwards the inter-process message to the receiving application, and when the permission is denied, the processor blocks the inter-process message. Associating the first and second applications with security categories significantly simplifies the work required to configure messaging rules and security policies for applications installed on a computing apparatus.

[0009] In a first possible implementation form of the apparatus according to the first aspect the inter-process message includes an indication of a type of message, and the processor is configured to determine the permission for the inter-process message based on the type of the message. The type of the message includes one or more of a kind of action and a kind of data being acted upon. Including the type of message, such as kind of action and a kind of data allows different messaging rules to be associated with the security categories for different types of messages.

[0010] In a second possible implementation form of the apparatus according to the first aspect as such the processor is configured to modify a state of the processor based on the inter-process message, and to determine the permission for the inter-process message based on the modified state of the processor. This provides improved security within the apparatus. For example determination of a permission for a secure cryptographic operations should be made within a secure execution environment rather than in the less secure normal world execution environment. [0011] In a further possible implementation form of the apparatus the processor is configured to determine one or more of the first security category and the second security category based on information related to one or more of the sending application and the receiving application, wherein the information related to the one or more of the sending application and the receiving application includes one or more of: a virus scan, data obtained from a social proof service, input from a user of the apparatus, installation information, vendor entitlements, application specific security requirements, and a machine learning application. Basing determination of the desired security category on a wide range of information sources improves the security of the apparatus by more reliably selecting the security category to be associated with each application.

[0012] In a further possible implementation form of the apparatus the processor is configured to give priority to user inputs when determining the one or more of the first security category and the second security category. It is often desirable to allow the user to override any automated determinations being made by the apparatus.

[0013] In a further possible implementation form of the apparatus the processor is configured to determine the one or more of the first security category and the second security category based on vendor entitlements when the installation information indicates the one or more of the sending application and the receiving application originated from an untmsted source. Giving priority to vendor entitlements provides a reliable way of determining the best security category for an application because the vendor is able to thoroughly test the application with all other software components being distributed on the apparatus.

[0014] In a further possible implementation form of the apparatus the processor is configured to change the one or more of the first security category and the second security category to a more tmsted security category when the permission of the inter-process message has not been denied for a pre-determined amount of time or a pre-determined amount of inter-process messages have been sent between the sending application and the receiving application. Modifying or changing which security category is associated with an application allows the apparatus to adapt to changing conditions and usage patterns. Changing conditions can include for example changes in the number and type of software applications installed on the apparatus, changes in the way the apparatus is being used, and the networks the apparatus is connecting to, as well as any other change in environment or usage of the apparatus.

[0015] In a further possible implementation form of the apparatus each security category is associated with one or more messaging policies, and the processor is configured to dynamically modify the one or more messaging policies. Dynamic modification of the message policies associated with a security category allows the apparatus to adapt to changing conditions and usage patterns.

[0016] In a further possible implementation form of the apparatus the one or more of the sending application and the receiving application are members of a group of highly protected applications and, the processor is configured to associate a highly protected security category with the group of protected applications, wherein the group of protected applications is defined by one or more of: a provider of the application, vendor entitlements, and user input. Identifying an application as a highly secure application allows more secure and reliable association of security categories with applications.

[0017] In a further possible implementation form of the apparatus the processor is configured to record in a messaging history the permission and associated inter-process message information, and to modify the one or more of the first security category and the second security category based on the messaging history. Keeping a history of IPC messages and permissions allows identification of malicious applications that are repeatedly attempting to infiltrate sensitive data or operations, or to identify well behaved applications and to modify the trust of an application accordingly.

[0018] In a further possible implementation form of the apparatus the processor is configured to associate the sending application with a first one or more security categories, associate the receiving application with a second one or more security categories, and to determine the permission for the inter-process message based on the first one or more security categories and the second one or more security categories. Associating an application with multiple security categories allows better control over IPC messages for an application that may have a wide range of functionality and IPC messaging needs.

[0019] In a further possible implementation form of the apparatus the first security category is the same as the second security category. It is often desirable to allow inter process communications between applications that are associated with the same security category.

[0020] In a further possible implementation form of the apparatus modifying the state of the processor includes switching the processor state from a normal world execution environment to a secure execution environment.

[0021] In a further possible implementation form of the apparatus, the apparatus is a mobile phone.

[0022] According to a second aspect the above and further objects and advantages are obtained by a method that includes associating a sending application with a first security category, associating a receiving application with a second security category, receiving in a message router an inter-process message from the sending application, where the inter process message comprises an indication of the sending application and the receiving application. The method determines a permission for the inter-process message based on the first security category and the second security category. When the permission is granted, the method forwards the inter-process message to the receiving application, and when the permission is denied, the method blocks the inter-process message. Associating the first and second applications with security categories significantly simplifies configuration of messaging rules and security policies for applications.

[0023] In a first possible implementation form of the method according to the second aspect the method includes determining one or more of the first security category and the second security category based on information related to one or more of the sending application and the receiving application, wherein the information related to the one or more of the sending application and the receiving application includes one or more of: a virus scan, data obtained from a social proof service, input from a user of the apparatus, installation information, vendor entitlements, application specific security requirements, and a machine learning application. Basing determination of the desired security category on a wide range of information sources improves the security of the apparatus by more reliably selecting the security category to be associated with each application.

[0024] According to a third aspect the above and further objects and advantages are obtained by a non-transitory computer readable media having stored thereon program instructions that when executed by a processor cause the processor to perform the method according to the second aspect or to the first implementation form of the second aspect.

[0025] These and other aspects, implementation forms, and advantages of the exemplary embodiments will become apparent from the embodiments described herein considered in conjunction with the accompanying drawings. It is to be understood, however, that the description and drawings are designed solely for purposes of illustration and not as a definition of the limits of the disclosed invention, for which reference should be made to the appended claims. Additional aspects and advantages of the invention will be set forth in the description that follows, and in part will be obvious from the description, or may be learned by practice of the invention. Moreover, the aspects and advantages of the invention may be realized and obtained by means of the instmmentalities and combinations particularly pointed out in the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS [0026] In the following detailed portion of the present disclosure, the invention will be explained in more detail with reference to the example embodiments shown in the drawings, in which:

[0027] Figure 1 illustrates a block diagram of an exemplary computing apparatus to provide an improved inter-process message mechanism in accordance with aspects of the disclosed embodiments.

[0028] Figure 2 illustrates a block diagram of an exemplary computing apparatus to provide an alternative improved inter-process message mechanisms according to aspects of the disclosed embodiments.

[0029] Figure 3 illustrates a flow diagram of an exemplary method for providing secure inter-process message processing within a mobile computing apparatus according to aspects of the disclosed embodiments.

DETAILED DESCRIPTION OF THE DISCLOSED EMBODIMENTS

[0030] Figure 1 illustrates a block diagram of an exemplary computing apparatus 100 adapted to provide improved inter-process messaging mechanisms in accordance with embodiments of the present disclosure. The computing apparatus 100 may be incorporated into various types of computing apparatus and mobile communication apparatus such as mobile phones, phablets, tablet computers, laptop computers, set top cable boxes, televisions, automobiles, etc., and can be advantageously employed to provide secure and reliable inter- process communications services for user applications mnning on the computing apparatus 100. In the exemplary computing apparatus 100, a processor 152 is coupled to a memory 154 and is configured to read and execute non-transitory program instructions stored in the computer memory 154.

[0031] In one embodiment, the processor 152 of the apparatus 100 is configured to associate a sending application 108 with a first security category; associate a receiving application 112 with a second security category; and receive, in a message router 116, an inter-process message 128 from the sending application 108. The inter-process message 128 comprises an indication of the sending application 108 and the receiving application 112. The processor 152 is also configured to determine a permission for the inter-process message 128 based on the first security category and the second security category. When the permission is granted the inter-process message 128 is forwarded to the receiving application 112. When the permission is denied the inter-process message 128 is blocked.

[0032] The processor 152 may be a single processing device or may include a plurality of processing devices including special purpose devices, such as for example, digital signal processing (DSP) devices, microprocessors, specialized processing devices, parallel processing cores, or general purpose computer processors. In certain embodiments the processor 152 may include a central processing unit (CPU) working in tandem with a graphics processing unit (GPU) which may include a DSP or other specialized graphics processing hardware.

[0033] The memory 154 may be any appropriate type of computer memory capable of storing computer program instmctions and/or data. The memory 154 may be a combination of various types of volatile and non-volatile computer memory such as for example read only memory (ROM), random access memory (RAM), magnetic or optical disk, or other types of computer operable memory capable of retaining information and making the stored information available to the processor 152 that is communicatively coupled to the memory 154.

[0034] The memory 154 is adapted to store software program instructions or software programs along with associated data as may be useful for the computing apparatus 100. The software programs stored in memory 154 are organized into various software modules or components which may be referred to using terms indicative of the type or functionality provided by each software component. For example, the stored software components may include an operating system (OS), a hypervisor, device or other hardware drivers, and/or various types of user applications such as a media player, an electronic mail application, a banking application, etc. The applications 108, 112 are examples of user applications and the system 114 is an example of an executive type program such as an operating system.

[0035] It is desirable at times to install new or updated user applications onto the computing apparatus 100. User applications or applications 108, 112 may be installed individually or when desired may be installed as part of a package or software package that includes one or more applications. A software package is a collection of one or more related software applications that are delivered together by a software provider, and may include software utilities and other data useful for supporting the included applications.

[0036] Applications 108, 112 may be executed separately or in combination by the processor 152 within a group of computing resources referred to as a process space or process 106, 110. Each process 106, 110 is maintained separately by the processor 152 and includes its own collection of computing resources. The collection of computing resources associated with a process 106, 110 are accessible to software programs or applications 108, 112 executing within that process 106, 110 and may include resources such as a virtual memory space and/or hardware components. The processor 152 is configured to separately manage and when desired isolate the computing resources belonging to one process 106, 110 from access or modification by software applications 108, 112 executing in another process 106, 110. For example the system 114 may be configured to prevent the application 108 executing in process 106 from accessing or modifying computing resources, such as a portion of the memory 154, which has been allocated within process 110 for use by the application 112.

[0037] In modern open computing environments, such as the computing apparatus

100, applications 108, 112 may be obtained from many different sources or vendors. It is therefore important for security purposes to control communication between applications 108, 112. For example, it would be dangerous to allow a gaming application downloaded from an unknown source to access a banking application executing on the same device. To maintain security and integrity of the computing apparatus 100, these applications 108, 112, which may originate from unknown or untrusted sources can be run in different isolated processes 106, 110 so that the system 114 can prevent one application 108 from accessing or cormpting information belonging to another application 112. To facilitate and regulate communication between applications 108, 112 executing in different processes 106, 110 on the computing apparatus 100, the system 114 provides an inter-process communication (IPC) mechanism 134 which in the illustrated embodiment includes an IPC router 116 configured to send messages between applications 108, 112 in a safe and controlled manner.

[0038] The processor 152 is adapted to implement and enforce a system of priorities which provide a means to protect certain applications or processes from being cormpted or misused by other processes. This system of priorities prevents programs or processes executing at a lower priority from modifying, or otherwise cormpting or misusing, programs or processes executing at a higher priority. In the computing apparatus 100 the system 114 is executed at a higher priority than the applications 108, 112 or their respective process spaces 106, 110. Thus the system of priorities prevents an application 108 from tampering with the IPC Router 116 or other system 114 components to gain unauthorized access to or send unauthorized messages to another application 112.

[0039] It is desirable to have many applications 108, 112 installed on and possibly executing on the computing apparatus 100 at the same time. These applications 108,112, often obtained from many different sources, are configured to provide a wide range of features and functionality. To maintain integrity of the computing apparatus 100, the system 114 is configured to execute applications 108, 112 in different isolated processes 106, 110 and prevent one application 108 executing in one isolated process 106 from accessing or cormpting computing resources of another application 112 executing within a different process 110. To improve security, direct communication between applications 108, 112 executing in different processes 106, 110 is not allowed. All communication between applications 108, 112 executing in different processes 106, 110 is accomplished through the IPC mechanism 134 which is managed by the system 114.

[0040] Users of modern computing apparatus, such as mobile phones, tablets, etc., have come to expect a consistent integrated user experience among all software applications mnning on their computing apparatus. To support this consistent integrated computing experience, applications designed to execute on modern computing apparatus, such as the computing apparatus 100, are designed as collections of components and services that expose published interfaces for use by other applications running on the computing apparatus 100. Integration of this multi-application environment is aided by including an IPC messaging mechanism 134 or infrastructure within the system 114 to allow applications to communicate with each other and take advantage of services exposed by other applications.

[0041] When an application 108 executing in one isolated process 106 needs to communicate with another application 112, mnning in a separate isolated process 110, an IPC message 128 may be sent to an IPC router 116 where the message may be forwarded 130 to a receiving application 112. Because the IPC message router 116 executes as part of the system process 114, applications 108, 112 are not able to tamper with or otherwise interfere with operation of the IPC router 116. Thus the IPC router 116 can, based on a set of mles or other desired criteria or logic, determine whether to forward 130 the message 128 to the receiving application 112, block the message, or perform other desired accounting or data collection based on the IPC message 128. The IPC router 116 is configured to control all communication between the applications 108, 112. Various rules and policies that control how and when IPC messages 128 are forwarded 130, blocked, or otherwise processed are included in the IPC message routing components 134.

[0042] As an aid to understanding, consider a conventional computing apparatus based on the ANDROID™ operating framework developed by GOOGLE INC. In the ANDROID™ operating environment, certain types of inter-process messages 128 are referred to as Intents. ANDROID™ includes a conventional IPC routing component, referred to as an activity manager which may be configured to coordinate with an intent firewall. The intent firewall employs a set of mles to determine when an Intent should be forwarded, blocked, or otherwise processed. In conventional IPC routing systems, such as the activity manager and intent firewall, these messaging mles need to be configured separately for each application, and every application needs to have its own set of routing mles. Configuring these mles for every application can be tedious and error prone. A user or administrator needs to study the functions and requirements of each application to determine which applications are safe and what messaging mles should be created for each application.

[0043] Additionally, configuration of these mles may require the administrator to have privileges that are higher than the privilege levels desired for normal users, thereby limiting which users are able to configure the mles. Users desiring to modify the routing mles may be granted higher privilege level, thereby creating greater security risks. It is also difficult for an average user to know what services an application actually needs and what services may pose security vulnerabilities.

[0044] A novel approach for reducing the amount of configuration work required and reducing the knowledge required of the user and/or device administrator is presented herein. Rather than creating messaging mles for each application as is done in conventional computing apparatus, the computing apparatus 100 is in contrast configured to classify applications into a relatively small number of categories, and to define messaging mles and security policies for each category. Because the number of security categories is significantly smaller than the total number of applications 108, 110, much less effort is required to configure messaging mles and security policies for each security category than is required to configure mles and policies for every application separately.

[0045] Assigning messaging mles and/or security policies to each category can also be done in advance without knowledge of all the various applications that may be installed on the computing apparatus 100. The mles for each category may be configured by a skilled administrator when the apparatus 100 or software components are initially developed or configured. These mles may also be easily modified at intervals thereafter. When a new software application 108, 112 is installed, it can be classified into or associated with one of the security categories. Once the application is associated with a security category it will inherit an appropriate set of inter-process communication mles from the security category to which is was assigned or associated.

[0046] The computing apparatus 100 includes a security category service 118 configured to perform various services in support of the IPC Router 116. The security category service 118 may assign or classify applications into security categories, process messaging mles and security policies, and determine 132 how inter-process messages 128, 130 are handled. A category database 120 is used to store inter-process messaging mles and security policies for each security category and to store information that supports assigning or classifying an application to a security category. The category database (DB) 132 may also store any information desirable to enhance operation or auditing of the security category service 118.

[0047] The set of security categories into which the security category service 118 associates applications may be any desired size. A large number of security categories provides finer control over the messaging rules or policies applied to a particular application 108, 112, while a smaller number of security categories simplifies configuration of security within the IPC messaging mechanism.

[0048] In certain embodiments it is desirable to update the Category DB 120 from time to time with new or modified information, or to remove information that is outdated or undesired. For example, it may be advantageous to include new or modified messaging rules, security policies, security categories, and/or category association rules, etc. Updating the category DB 120 is advantageous and allows the apparatus 100 to adapt to new security threats, new or modified application types, and changing user requirements.

[0049] When an application 108, 112 is installed, or at intervals thereafter, the security category service is adapted to obtain information about the installed applications 108, 112 and use this information along with information stored in the category DB 120 to assign a security category to the newly installed application 108, 110.

[0050] The security service 118 is configured to gather information from system services 122, 124, 126 that may have knowledge about the application 110, 112 and to use this information to aid assignment or association of an appropriate security category.

[0051] In one embodiment system services 122, 124, 126 used to gather information about an installed application 108, 112 may include one or more of a virus scanner 122, a social proofing service 124, or inputs 126 obtained from a user of the computing apparatus 100. The virus scanner 122 checks software and data being installed for known viruses or other security threats or malicious software signatures. A social proofing service 124 is a service that scans public networks, such as the internet, to locate information about the installed application 108, 112 and/or about experience of other users that have installed, evaluated, or are using the application. Inputs from a user of the computing apparatus 100 may be solicited by a user input 126 component.

[0052] The security category service 118 associates the application 108, 112 with a security category based on the information obtained from the system services 122, 124, 126, information stored in the history DB, and/or any other appropriate information available about the application 108, 112 and the computing apparatus 100. The security category service 118 may also be configured to apply rules to the inputs obtained from the system services 122, 124, 126 when selecting the security category to associate with the application 108, 112. For example, in one embodiment user inputs 126, which are obtained from a user of the computing apparatus 100, may be configured to override information provided by a virus scanner 122 and/or a social proofing service 124.

[0053] As described above, the computing apparatus 100 is configured to prevent one application 108 from sending a message 128 directly to a second application 112. In the computing apparatus 100, all inter-process messages 128 must be sent to the IPC Router 116. The IPC Router 116 contacts 132 the security category service 118 to determine how the message should be handled, and when allowed, the IPC Router 116 forwards the message 130 to the receiving application 112.

[0054] When the IPC Router 116 receives a message 128 it contacts 132 the security category service 118 for a determination of how the message 128 should be processed. The security category service then examines all information about the message 128 such as the type of message, message contents, as well as the application 108 that is sending the message 128 and the application 112 to which the message 128 may be forwarded 130, to make a determination about how the message 128 should be processed.

[0055] A type of the inter-process message 128 may be used to indicate the kind of action being requested by the inter-process message 128. For example a kind of action could be cryptographic services, a lookup of a name in an address book, displaying information to a user, or any other useful service or action. The type of message may also indicate a type of data included in the message. The data can include for example, a password, a photograph, a media file, or other kind of data as desired.

[0056] Messaging rules for the IPC message 128 can then be identified based a first security category associated with the sending application 108 and a second security category associated with the receiving application 112. The first security category and the second security category may be the same or they may be different. The security category service 118 then determines whether to block or forward the IPC message 128 based on information obtained from the Category DB 120 such as messaging mles and/or security policies corresponding to the first and second security category.

[0057] The security category service 118 may also solicit information from a User Input service 126 to aid its determination of how to process the IPC message 128. The User Input service 126 may solicit information directly from the user. Alternatively the User Input service 126 may rely on previously obtained user inputs or predetermined default values. In one embodiment information received from the User Input 126 may override messaging mles or other information stored in the Category DB.

[0058] In certain embodiments, an application 108, 112 may be associated with multiple security categories. In these embodiments the security category service 118 may consider messaging mles and other information associated with all the security categories associated with both the sending application 108 and the receiving application 112. [0059] IPC messages 128 may be forwarded 130 to the receiving application 112 or they may be blocked. As will be discussed further below, in addition to forwarding or blocking a message 128, the IPC Router 116 or the security category service 118 may be configured to perform other desired operations. For example, it may be advantageous to quarantine certain applications based on attempts to access services to which they are not authorized, record an audit trail in the history database 140, or any other desired type of security related processing.

[0060] In one embodiment the security category service 118 is configured to maintain a history DB 140 having information about processed messaging requests 128. The history database 140 may record information about the sending and receiving applications, the IPC message 128, the security categories associated with the sending and receiving applications 108, 112 at the time the IPC message 128 was processed as well as results of processing the message request 128. The result of processing a message may include information about whether the message was forwarded 130 or blocked. In certain embodiments information about permissions, and the rules considered when processing n inter-process messaging 128 may be advantageously included in the history database 140. Information stored in the history DB 140 may be employed as an audit trail or for other auditing or monitoring operations.

[0061] Information in the history DB 140 may be used by the security category service 118 to dynamically adjust the security category, or categories, associated with each application 108, 112. For example, if an application 108 is found to be sending message requests 128 that are continually rejected by the security category service 118, the security category service 118 may recognize this as a possible security issue or malicious application and adjust the security category associated with the sending application 108 accordingly. Similarly, the security category of the receiving application may be adjusted to increase security in light of a possible new security threat. Similarly, an application may be associated with a highly restrictive security category when first installed and over time when it is observed, as indicated by information in the history DB 140, that the application is well behaved, the security category may be adjusted accordingly. In certain embodiments is may be desirable to dynamically adjust the security category associated with an application 108, 112 based on other inputs such as inputs received from the Virus scanner 122, and the Social Proof Service 124.

[0062] In one embodiment the security category service may associate an application

108, 112 with a security category at the time it is installed based on information about the type of application begin installed. This is particularly useful when the application 108, 112 is obtained from a trusted source and for example is cryptographically signed in such a fashion that allows the contents of the application to be verified prior to installation. As used herein a trusted application is a software program that is obtained from a trusted source and that is cryptographically signed in such a fashion. It may be advantageous to associate a trusted application with a higher security category than an untmsted application such as an application obtained from an unknown or unverified source.

[0063] For example a banking application obtained from the user’s own bank or a media player obtained from a reputable software company may be afforded a higher degree of trust and be associated with a security category that indicates a higher level of trust and allows access to sensitive services. In contrast a game downloaded from an unknown site on the internet should be associated with a security category indicating a low level of trust and preventing access to any sensitive information or services.

[0064] As used herein the term "more trusted security category" refers to a security category that is allowed access to a greater amount of system services, or is allowed to exchange messages with a greater amount of applications, or may be allowed access to more sensitive security services, as compared to another security category. Thus changing a security category to which an application 108, 112 is associated to a more trusted category has the effect of increasing the services or resources the application 108, 112 is allowed to exchange IPC messages 128 with.

[0065] Once the security category service 118 has made a determination about how to process the message 128, the security category service 118 returns its determination to the IPC Router 116. The IPC Router 116 then blocks or forwards 130 the IPC message 128 according to the information returned from the security category service 118.

[0066] Figure 2 illustrates a block diagram of an exemplary computing apparatus 200 for providing improved inter-process messaging mechanisms in accordance with embodiments of the present disclosure. The computing apparatus 200 is similar to the computing apparatus 100 described above and with respect to Figure 1, wherein like reference numerals shown in Figure 2 correspond to like components as described above with reference to Figure 1. The exemplary computing apparatus 200 employs a distinctly different means for associating security categories with applications 108, 112 and is configured with distinctly different system services 202, 204, 206 which may be used by the security category service 218 for associating or classifying applications 108, 112 with security categories. The security category service 218 of computing apparatus 200 is configured to automatically associate a security category with an application 108, 112 based on inputs obtained from a package installer 202, a vendor entitlement service 204, application specific security requirements 206, and/or a machine learning application 208.

[0067] A package installer 202 is used to install software applications 108, 112 on the computing apparatus 200. During the installation process information pertaining the application 108, 112, being installed may be obtained by the security category service 118 from the package installer 202. This information, referred to herein as installation information, may include results of verification of a cryptographic signature, verification of the certificate and signing information, identification of the source or vendor of the software, services and computing resources required or requested by the software being installed, etc.

[0068] Vendor entitlements 204 refers to curation of known software applications by a vendor of the computing apparatus 200. Software that has been tested and curated by the computing apparatus 200 vendor may be accorded increased trust and privileges based on the results of this testing and curation. Alternatively, a curated package may be marked as a risk by the vendor and associated with a security category having limited privileges. The vendor entitlements service 204 provides vendor entitlement information to the security category service 218 which may be used when associating or classifying an application with a security category.

[0069] Software products or applications 108, 112 can specify or request specific security requirements when they are being installed on the computing apparatus 200 or at times thereafter as appropriate or desired. These requested security requirements may be processed by an application security service 206 and provided to the security category service 218 as an aid to the association of an application 108, 112 with a security category. These security requirements may be processed and considered during automatic association of the security category by the security category service 218. Alternatively these security requirements may be combined with other inputs or user data to support associating an application 108, 112 with a security category.

[0070] Associating or categorizing of applications with security categories can be improved over time by including various machine learning applications 208 that can provide information to the security category service 218. The machine learning applications can be used to adjust the way applications are categorized or associated with a security category. Machine learning 208 can also be used to adjust the security policies or messaging rules associated with each security category. The machine learning applications 208 can for example watch the behavior of the applications 108, 112 and move an application to a different security category or change the security category an application is associated with.

[0071] In systems such as the computing apparatus 200, vendor entitlements 204 may take precedence when associating a security category, however, application specific security requirements 206 may still deny access to a less secure application. It may be advantageous to give precedence to the vendor entitlements 204 because the vendor, as the system integrator, is often in the best position to make determinations about security of the overall software environment running on the computing apparatus 200.

[0072] In one embodiment the security category service 218 may recognize an application 108, 112 as belonging to a group of highly protected applications and associate the application 108, 112 with a highly protected security category. A highly protected security category is a security category with messaging rules designed to prevent or restrict unauthorized access to services provided by the application. Recognizing that an application 108, 112 belongs to a group of highly secure applications may be based on any of the criteria described above such as the provider of the application which may be determined by a package installer 202, vendor entitlements 204, application specific security requirements 206 or additional information such as user inputs 106.

[0073] In certain embodiments there may be a large number of client applications that need services from, or otherwise want to interact with, the group of highly secure applications. Because the number of client applications can be very large, it is not feasible to classify and individually configure security policies and messaging rules in advance. To solve this configuration problem, security policies and messaging mles for a relatively small number of security categories can be configured, then crowd-sourcing, also referred to as social proofing, or other such means as described above may be used to automatically assign each client application to one of the configured security categories.

[0074] Thus, by default the applications would not have access to protected applications. If an input source, e.g. the social proof input source, indicates that large enough number of people have evaluated the application high enough, then it is upgraded to less restrictive policy and granted access to the protected applications. The classification could be also based on testing the application by a trusted app store, or even by an artificial intelligence (AI) system. Conversely, if an application is marked as potentially malicious by a virus scanner, the application is denied access to the group of highly secure applications.

[0075] As an aid to understanding, the security category service 118 and security category service 218 used in computing apparatus 100 and computing apparatus 200 were described above as having distinctly different functionality and features for associating security categories with applications 108, 112. Those skilled in the art will readily recognize that various combinations of the features of the security category service 118 and the security category service 218 are possible and may be advantageously employed in computing apparatus without straying from the spirit and scope of the disclosed embodiments.

[0076] In certain embodiments a high level of security is required. For example the processor 102 may support multiple execution states where one state is a trusted execution environment or a secure execution environment, and another state is a less secure environment which may be referred to as a normal world execution environment. When the processor 102 supports multiple execution states it may be advantageous to execute the security category service 118, 208 within the highly secure execution state such as a tmsted execution environment while execution of the applications 108, 112 will remain in the normal world execution state. For certain types of IPC messages 128 it may be advantageous to change or modify the state of the processor 102 to a more secure state or execution environment such as the secure execution environment, and execute the security category service 118, 218 within this highly secure state. This allows the determination of permissions such as how to process the IPC message 128 to be protected within the highly secure state.

[0077] It is advantageous for example to execute the security category service 118,

218 within a secure state or execution environment when the services being requested also need to be executed within the highly secure state or execution environment. An IPC Message 128 requesting cryptographic operations that rely on confidential material would be one example of an IPC message 128 that would benefit from having the security category service 118, 218 executed within a trusted or secure execution environment or state.

[0078] Figure 3 illustrates a flow diagram of an exemplary method 300 for providing secure IPC message processing within a mobile computing apparatus, or other types of computing apparatus as desired. The exemplary method 300 is appropriate for use on various types of computing apparatus such as the computing apparatus 100 and the computing apparatus 200 described above.

[0079] The method begins when applications are installed on a computing apparatus or at appropriate times thereafter by associating 302 a sending application with a first security category. A receiving application is associated 304 with a second security category. Alternatively the receiving application may be associated 304 before the sending application as desired. The first security category may be the same as the second security category or alternatively the first and second security category may be different. In certain embodiments it may be advantageous to associate more than one security category with an application.

[0080] During execution of the sending application and the receiving application, the sending application may want to send a message to the receiving application. For example a texting application may desire to request a photograph from a photo album application in order to attach the photo to a text message. When this occurs, a message router will receive 306 the IPC message from the first application. The IPC message will include information about the sending application, the receiving application, and the type of message along with other information as desired by the sending and receiving applications.

[0081] A permission for the IPC message is then determined 308 based on information included in the IPC message and the security categories associated with the sending application and the receiving applications. Each security category will have one or more messaging rules and security policies associated with it. These messaging mles provide a basis for determining whether permission to send the IPC message should be granted or not granted. When permission is granted the IPC message is forwarded 312 to the receiving application. When permission is not granted transmission of the message is blocked 316.

[0082] After forwarding 312 or blocking 316 the IPC message, it may be desirable to change 314 the security category associated with the sending application or the receiving application. For example if the sending application attempted to send a message to a highly sensitive service, such as a banking service, to which it did should not have access and should not be trying to access, it may be desirable to associate the sending application with a more restrictive or less tmsted security category. In certain situations it may be desirable to associate the sending application with a security category indicating the application is quarantined such as a security category with messaging mles that do not allow the application to send any messages.

[0083] In certain embodiments it may be advantageous to store, after determining the permission 308, information about the IPC message and the resulting permission determination 308 in a history store or database. This history database may then be used when changing 314 the security category associated with an application. For example an application may be associated with a relatively restrictive security category when it is initially installed. A relatively restrictive security category as used herein refers to a security category that has messaging rules that only give permission to send messages to services deemed to be safe, or that do not pose significant security risks. After the application has been used for a period of time, the history DB may show that the application is well behaved or has not attempted to access sensitive services or information and only sent messages that were consistent with its intended functionality. It may be desirable to promote a well behaved application to a less restrictive or more privileged security category thereby allowing it to expand its functionality by sending messages to a larger variety of system services.

[0084] The tmst afforded an application by the associated security policy can increase gradually higher by changing the security category associated with the application, if the new capabilities enabled by moving the application under higher-trust security category that has higher-tmst security policies are not being misused. The security policies or messaging rules associated with each security category, may be predefined or dynamically created.

[0085] Thus, while there have been shown, described and pointed out, fundamental novel features of the invention as applied to the exemplary embodiments thereof, it will be understood that various omissions, substitutions and changes in the form and details of apparatus and methods illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit and scope of the presently disclosed invention. Further, it is expressly intended that all combinations of those elements, which perform substantially the same function in substantially the same way to achieve the same results, are within the scope of the invention. Moreover, it should be recognized that stmctures and/or elements shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.