Abstract: A method of securing an app for execution on a device using an app security program with policy gates is described. First, Java class files are generated for the app security program, where the generating is dictated by a plurality of app security policies located in a plurality of policy gates. The plurality of policy gates are managed by a policy gate manager. Next, Java class files are replaced for the app with the Java class files for the app security program. Third, a security-wrapped app is created upon completion of replacing the Java class files for the app. Further, the security-wrapped app is prepared for execution on the device. Last, the security-wrapped app is re-signed with a new key.

Abstract: A digital certificate is created transparently on a mobile device. A VPN appliance receives user credentials from an app, the credentials familiar to the user and associated with an enterprise authentication service. The credentials are validated, comprising the first user authentication in a two-factor authentication method. The user is then presented with a display in the app asking for a PIN. The appliance generates a PIN and sends it to the user via the user enterprise email. The user enters the PIN in the app display. This is the second factor in the two-factor authentication. Once the user is authenticated, the appliance sends data for generating a Certificate Signing Request (CSR) to the app. The app generates a CSR and the appliance sends the CSR to an enterprise CA. A certificate is signed and enrolled. The signed digital certificate is then sent to the wrapped app.

Abstract: An extensible platform gives app developers more control and granularity when developing apps and making them secure. App developers are able to use an app wrapping process to have more control over including non-security related features, such as managerial and administrative features, and more granularity with respect to security features included in the apps they develop. The app wrapping software is extended to be viewed more as a platform for the app developer to customize app security and administrative features without losing the efficiency and simplicity of the original app wrapping process of the present invention.

Abstract: Apps are secured or security-wrapped either before they are downloaded onto a device, such as a smart phone or tablet device, or after they are downloaded but before they are allowed to access the device operating system and cause any potential damage to the device. The app is secured before it is allowed to access the operating system of the device, thereby preventing the app from malicious behavior. App object code is substituted with security program object code, thereby creating a security-wrapped app. The app is provisioned with a geo-fencing policy which prevents execution of an app outside a pre-defined geographical area. If the device is within the defined area, the app is allowed to execute. The geographical area, such as a building or company campus, is defined using longitude and latitude coordinates and a location accuracy value. Device location is obtained using location/GPS services on the device.

Abstract: Computational complexity, specifically, cryptographic operations, is removed from the IKE(Internet Key Exchange) process in a VPN gateway appliance, thereby enabling scaling of the number of datapaths that can be managed by a single IKE process. A two-tier cache configuration enables necessary cryptographic operations on packets in the gateway but does so without placing additional computational burdens on the IKE process. One cache containing security association data is local to the IPSec component of the datapath instance. The second cache is higher level and is populated by IKE with security association data upon completion of IKE Phase 2 negotiations. The local cache is searched first for security policy data and if found is used to encrypt/decrypt the data packet. If not found locally, the IKE centralized cache is searched and if found, the local cache is updated with the security association data.

Abstract: A mobile device user is able to execute an app in a federation of wrapped apps without having to login to that app provided that the user has already logged into another app in that federation. The federation of apps on the device uses multi-app authentication to enable the user to start subsequent apps after explicitly entering login credentials for another app in that federation. This feature is loosely referred to as single sign-on for apps in the federation. The multi-app authentication is implemented by giving the second app a chance to prove two facts. One that it knows where in the operating system keychain a login ticket is stored and two, what the hash value of a random byte array is. By showing these facts, the logged-into app can safely provide login credentials to subsequent app without the user having to enter a login name or password.