Abstract: Methods and systems provide for resolving domain names by employing a proxy server between the client device and the resolving server. The methods and systems may maintain user privacy by the proxy receiving the client identity and an encrypted domain name. After substituting an arbitrary query identifier for the client identity in the resolution request, the proxy forwards the anonymized resolution request to the resolving server. In return the proxy receives an encrypted internet protocol (IP) address with the arbitrary query identifier, which the proxy associates with the client identity and forwards the encrypted IP address to the client for decrypting. Methods and systems provide for receiving an assessment of a full uniform resource locator (URL) in a browser session in advance of the browser accessing the URL. Methods and systems further prevent the re-use of passwords.

Abstract: For increased security, a source is determined for software to be installed on a computing device. In one approach, an application identifier is received from the computing device for an application to be installed. A source identifier of the application is determined. The application identifier and the source identifier are sent over a network to a server. A first state designation for the first application is received from the server. The first state designation represents a trusted state or an untrusted state. In response to receiving the first state designation, a second state designation is set. The second state designation is sent to the computing device.

Abstract: A security code module is provided that a developer may include in an application. The application, when downloaded onto a mobile communications device, includes the security code module. The security code module then initiates a request to a server to determine the status of the mobile communications device. When the status indicates that the mobile communications device is not in the possession of the registered owner, a security component on the server performs an action in response.

Abstract: Systems and methods for coordinating components can include: determining, by a first application executing on a client device, a need to perform a sharable functional task; identifying a first software component installed on the client device and capable of performing a first variation of the sharable functional task; identifying a second software component installed on the client device and capable of performing a second variation of the sharable functional task, wherein the second variation of the sharable functional task is functionally overlapping with and not identical to the first variation; identifying a set of characteristics of both the first software component and the second software component; selecting the second software component for performing the sharable functional task based on the set of characteristics, where the set of characteristics includes at least a version number; and delegating performance of the sharable functional task to the second software component.

Abstract: Techniques for providing domain name and URL visual verifications to increase security of operations on a device. The techniques include a visual indicator and/or warning to a user on the user's computing device that a domain or URL requested by the user and the device is unpopular, new, unknown, inauthentic, associated with malware or phishing, or in some other way, risky. The techniques include identifying a domain name in a communication received by a computing device and then determining a popularity ranking and/or an age of the domain name. The device can render, for display on a screen of the device, a visual indicator having the popularity ranking and/or the age of the domain name. Also, the techniques can include identifying a URL in a communication received by a computing device and then rendering, for display on a screen of the device, a visual indicator having the entire URL.

Abstract: A method is provided for evaluating the usage of a mobile communications device that itself provides access to a resource. In the method, a detected usage of the mobile communications device is compared to a stored usage pattern of an authorized user. When a measure associated with the difference between the detected usage and the stored usage pattern exceeds a threshold, it is concluded that the mobile communications device is being used by an unauthorized user. In response to this conclusion, a restriction is placed on an ability of the mobile communications device to access the resource.

Abstract: Methods and systems are provided for providing a mobile communications device with access to a provider with a plurality of security levels. The security state of the device varies according to severity levels of device security events. The mobile communications device generates data regarding security events and provides the data to the provider, which compares that security state to a policy associated with the provider. The mobile communications device is allowed to access to a provider service where the device's current security state meets or exceeds the security state required for the provider service.

Abstract: The method disclosed herein provides for performing user authentication and maintaining user authentication and access to a first device based on the user maintaining control of the first device. The continued control may be based on determining the user's continued possession of the first device, or determining an acceptable proximity of the user to the first device. The proximity of the user may be determined using a second device associated with the user, or sensors associated with the first device.

Abstract: Methods and systems provide for reducing privacy leaks in DNS request by using a private DNS service. The private DNS service provides for matching a level of privacy provided by a type of communication protocol to a level of privacy desired or required for a particular client communication. When the DNS service determines that an intended communication protocol does not supply at least the level of privacy desired for a particular communication, the private DNS service may initiate the creation of a connection with the desired level of privacy.

Abstract: In one approach, a first computing device receives a request from a second computing device. The request is for access by the second computing device to a service provided by a third computing device over a network. In response to receiving the request, the first computing device performs a security evaluation of the second computing device. The evaluation determines a risk level. The first computing device generates, based on the evaluation, a token for the second computing device. The token includes data encoding the risk level. The token is sent to the second computing device and/or third computing device. The sent data is used to configure the service provided to the second computing device.

Abstract: Security policies are made dependent on location of a device and the location of a device is determined and the appropriate security policy applied without providing the device's location to a server. A device determine its location and identifies a security policy identifier mapped to a zone including the location. The device requests the security policy corresponding to the identifier from a server and implements it. The device may also store a database of the security policies and implement them according to its location. Devices registered for a user evaluate whether locations detected for the devices correspond to impossible travel by the user. Objects encoding geolocation data of a device may be encrypted with a private key of the device and the public key of another to prevent access by an intermediary server.

Abstract: Systems and methods are disclosed for managing personal data on a client computer in which personal data stored at one or more locations on the client computer is identified by a policy management module on the computer or a server. A policy is then created based on the identified personal data. The policy management module monitors at least the personal data stored in the one or more locations and detects attempts to access the monitored data and determines whether the attempts are in violation of the policy.

Abstract: A computing device creates verification information and a challenge token and sends the verification information and token to a server. The computing device receives authentication credentials and a command from the server and a command. The authentication credentials were generated using verified authentication information and the token. The computing device verifies the authentication credentials and processes the command if the credentials are valid.

Abstract: A method includes: receiving a request regarding access by a first computing device (e.g., a mobile device of a user) to a service; in response to the request, performing, by a second computing device (e.g., a device risk evaluation server, or a server of an identity provider), an evaluation that includes creating a fingerprint of the first computing device; and determining, by the second computing device, whether the fingerprint matches a fingerprint of one or more other computing devices. The second computing devices determines whether to authorize access to the service based on the evaluation.

Abstract: A method for multi-party authorization includes a security component determining that a request for the performance of an action on a computing device is from a first party. The security component initiates transmissions to the computing device of first and second information indicating knowledge of first and second secrets provisioned on the computing device. The computing device, upon verifying the knowledge of first and second secrets, then permits the requested action.

Abstract: The method disclosed herein provides for performing device authentication based on the of proximity to another device, such as a key device. When a key device is not near a mobile communications device, an unlock screen is allowed to be presented on a display screen. Based on the mobile communications device receiving a first code to unlock the mobile communications device, the mobile communications device is unlocked in a first mode. Based on receiving a second code while the unlocked mobile communications device is in the first mode, the unlocked mobile communications device changes from the first mode to a second mode, wherein a level of functionality of the mobile communications device in the second mode is greater than a level of functionality of the mobile communications device in the first mode.

Abstract: Systems and methods are disclosed for managing personal data on a mobile communications device in which personal data stored at one or more locations on the mobile communications device is identified by a policy management module on the mobile communications device. A policy is then created based on the identified personal data. The policy management module on the mobile communications device monitors at least the personal data stored in the one or more locations on the mobile communications device and detects attempts to access the monitored data.

Abstract: Techniques for deployment of policies to computing devices are described herein. The techniques can include a server deploying a passive policy to the computing devices. After deploying the passive policy, data is collected from each of the computing devices regarding operation of the computing device. The server monitors, based on comparing the passive policy to the collected data, compliance of each computing device with the passive policy. The server determines, based on the monitoring, a set of the computing devices that exhibit a policy violation associated with the passive policy. The server deploys an active policy to the set of computing devices. The active policy corresponds to the passive policy, and deploying the active policy causes one or more actions that correspond to the policy violation to be performed on each of the set of computing devices.

Abstract: Methods and systems provide for resolving domain names by employing a proxy server between the client device and the resolving server. The methods and systems may maintain user privacy by the proxy receiving the client identity and an encrypted domain name. After substituting an arbitrary query identifier for the client identity in the resolution request, the proxy forwards the anonymized resolution request to the resolving server. In return the proxy receives an encrypted internet protocol (IP) address with the arbitrary query identifier, which the proxy associates with the client identity and forwards the encrypted IP address to the client for decrypting. Methods and systems provide for receiving an assessment of a full uniform resource locator (URL) in a browser session in advance of the browser accessing the URL. Methods and systems further prevent the re-use of passwords.

Abstract: Techniques for enterprise policy rehearsals, rollouts, and rollbacks are described herein. The techniques can include a server receiving data associated with computing devices. The server compares the received data to data stored in a data repository. The data in the data repository corresponds to risks identified based on information collected from different computing devices prior to receiving the data associated with the computing devices. A risk profile is generated by the server based on comparing the received data to the repository data for each of the computing devices. The server causes, based on the risk profile for each of the computing devices, one or more responsive actions (e.g., using the risk profiles to prioritize deployment of software to the computing devices).