Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: A kernel of an operating system receives a request from a parent process (e.g., an exec or spawn system call) to launch a child process that executes a binary. The kernel identifies a process-specific launch constraint, which is a precondition for launching the child process. The kernel evaluates the constraint, which can match against any type of system state or variable, including the process's location on disk, protection on disk, and how the process is to be launched. The kernel can then determine whether to launch the child process, thus permitting the child process to be scheduled for execution by the operating system. Launch constraints can be used both for a child process to impose preconditions on the parent process, and vice versa. Launch constraints can be included in the launch request, embedded in the binary, or located elsewhere, such as in a trust cache in kernel memory.

Abstract: Migration of a pairing of wearable device to a new companion electronic device is disclosed. In one embodiment, pairing migration is performed by syncing and verifying a migration key in the wearable and new companion device. Pairing migration includes moving settings and pairing data of the wearable to the new companion device in response to detecting the wearable is associated with the migration key, wherein the migration key establishes a validation of trust of the wearable relative to the companion device. The settings and pairing data can include configuration and protected data and one or more keys to establish a trust relationship between the wearable and new companion device. The settings and pairing data can also include device data such that the wearable can be discoverable by the new companion device.

Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: The subject disclosure provides systems and methods for application-specific network data filtering. Application-specific network data filtering may be performed by a sandboxed process prior to providing the network data to an application to which the network data is directed. Any malicious or otherwise potentially harmful data that is included in the network data may be removed by the application-specific network data filter or may be allowed to corrupt the application specific network data filtering operations within the sandbox, thereby preventing the malicious or harmful data from affecting the application or other portions of an electronic device. In one or more implementations, a first process such as an application-specific network data filtering process may request allocation of memory for the first process from second process, such as an application, that is separate from a memory manager of the electronic device.

Abstract: Improved messaging applications are described that use a first set of software to test rendering of a message, and if the test is successful the message is allowed to be presented. In one embodiment, a first set of software can attempt to test the renderability of a message and if the test is successful, the message can be stored in a message database. In one embodiment, the first set of software operates in a separate sandbox from a sandbox for a messaging application which displays the message. The first set of software can operate in a first process which is different than a process in which the messaging application runs.

Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: Embodiments described herein provide techniques to limit programmatic access to privacy related user data and system resources for applications that execute outside of a sandbox or other restricted operating environment while enabling a user to grant additional access to those applications via prompts presented to the user via a graphical interface. In a further embodiment, techniques are applied to limit the frequency in which a user is prompted by learning the types of files or resources to which a user is likely to permit or deny access.

Abstract: Improved messaging applications are described that use a first set of software to test rendering of a message, and if the test is successful the message is allowed to be presented. In one embodiment, a first set of software can attempt to test the renderability of a message and if the test is successful, the message can be stored in a message database. In one embodiment, the first set of software operates in a separate sandbox from a sandbox for a messaging application which displays the message. The first set of software can operate in a first process which is different than a process in which the messaging application runs.

Abstract: Embodiments described herein provide a system and method for secure delivery of assets to a trusted device. Multiple levels of verification are implemented to enable components of a software update and asset delivery system to verify other components within the system. Furthermore, updates are provided only to client devices that are authorized to receive such updates. In one embodiment, the specific assets provided to a client device during a software update can be tailored to the client device, such that individual client devices can receive updated versions of software asset at a faster or slower rate than mass market devices. For example, developer or beta tester devices can receive pre-release assets, while enterprise devices can receive updates at a slower rate relative to mass market devices.

Abstract: Migration of a pairing of wearable device to a new companion electronic device is disclosed. In one embodiment, pairing migration is performed by syncing and verifying a migration key in the wearable and new companion device. Pairing migration includes moving settings and pairing data of the wearable to the new companion device in response to detecting the wearable is associated with the migration key, wherein the migration key establishes a validation of trust of the wearable relative to the companion device. The settings and pairing data can include configuration and protected data and one or more keys to establish a trust relationship between the wearable and new companion device. The settings and pairing data can also include device data such that the wearable can be discoverable by the new companion device.

Abstract: Various embodiments of a system and method for securely caching and sharing image data. A process can generate image data and store the image data into the protected cache using a UUID that is cryptographically derived from the image data. Any process with access to the UUID may retrieve the image data. Because the UUID is uniquely derived from the actual data of the generated file, a process will only be able to retrieve image data that could have been generated by a process associated with the user account, or from a process associated with a user account that could have generated the image data, or that otherwise has a record of the image data.

Abstract: Using uniquely generated identifiers in a network-based ecosystem in which a plurality of client devices request media content and software applications from online distribution system and additionally request invitational content from invitational content providers. Separating users' demographic data from a device-specific identifier in favor of uniquely generated identifiers and using the client device to enforce the substation of uniquely generated identifiers in favor of a device identifier, thereby using the client device to serve as a proxy in creating a firewall to exclude system partners from access to a device identifier.

Abstract: Using uniquely generated identifiers in a network-based ecosystem in which a plurality of client devices request media content and software applications from online distribution system and additionally request invitational content from invitational content providers. Separating users' demographic data from a device-specific identifier in favor of uniquely generated identifiers and using the client device to enforce the substation of uniquely generated identifiers in favor of a device identifier, thereby using the client device to serve as a proxy in creating a firewall to exclude system partners from access to a device identifier.

Abstract: Using uniquely generated identifiers in a network-based ecosystem in which a plurality of client devices request media content and software applications from online distribution system and additionally request invitational content from invitational content providers. Separating users' demographic data from a device-specific identifier in favor of uniquely generated identifiers and using the client device to enforce the substation of uniquely generated identifiers in favor of a device identifier, thereby using the client device to serve as a proxy in creating a firewall to exclude system partners from access to a device identifier.

Abstract: Various embodiments of a system and method for securely caching and sharing image data. A process can generate image data and store the image data into the protected cache using a UUID that is cryptographically derived from the image data. Any process with access to the UUID may retrieve the image data. Because the UUID is uniquely derived from the actual data of the generated file, a process will only be able to retrieve image data that could have been generated by a process associated with the user account, or from a process associated with a user account that could have generated the image data, or that otherwise has a record of the image data.

Abstract: Using uniquely generated identifiers in a network-based ecosystem in which a plurality of client devices request media content and software applications from online distribution system and additionally request invitational content from invitational content providers. Separating users' demographic data from a device-specific identifier in favor of uniquely generated identifiers and using the client device to enforce the substation of uniquely generated identifiers in favor of a device identifier, thereby using the client device to serve as a proxy in creating a firewall to exclude system partners from access to a device identifier.