Abstract: Systems, methods, and computer-readable media are provided for controlling an application's access to sensors based on application status and/or other metadata. An application security management system accesses a request by an application instance on a device for a given instance of access to an audio, image, location, sensitive data, or network access resource of the device. The request is made to an interface that controls access to the audio, image, location, sensitive data, or network access resource based on stored rules. Metadata associated with the request indicates which state of candidate states the application instance is in at a time of the request and/or past states of the application instance prior to the request. Based at least in part on the given application state or states or a pattern thereof, and at least one of the stored rules, the application security management system determines whether to grant the given instance of access.

Abstract: Systems, methods, and computer-readable media are provided for using bytecode injection to control an application's access to external resources. An application security management system accesses a request made by an application instance using a resource access bytecode instruction for access to a resource. Upon detecting the request, the application security management system injects a validation bytecode instruction to complete execution before the request. The validation bytecode instruction is based at least in part on the request and one or more states of the application instance. Execution of the validation bytecode instruction determines whether access is prevented or not. The application security management system uses the validation bytecode instruction to prevent access to the resource if one or more conditions are satisfied based at least in part on the one or more states of the application instance.

Abstract: Systems, methods, and computer-readable media are provided for implementing an application security management system. An application instance is executed that uses an interface that wraps external resource access functionality of the application instance. The interface is used to allow access from the application instance to one or more external resources, and an application security management system managing the interface logs requests. A call is received including a request for access to a resource external to the application instance along with metadata about functionality carried out by the application instance in association with the request. A use-case is determined for the request based at least in part on the metadata. The use-case is compared to a set of rules that map different use-cases to different candidate external resources to determine if the request to the resource is valid for the use-case. When the resource is not valid for the use-case, the request is rejected and logged.

Abstract: A system performs thread synchronization across layers of code that implement an application, including native code, system code, and code in a virtual machine (“VM”). The system makes a call by the native code to the system code; and sends a message by the system code to the code in the VM. The system then sends a first response by the code in the VM to the system code; and sends a second response by the system code to the native code, where each one of the native code, the system code, and the code in the VM implements wait and notify functionality for communication with other codes that implement the application.

Abstract: A system performs thread synchronization across layers of code that implement an application, including native code, system code, and code in a virtual machine (“VM”). The system makes a call by the native code to the system code; and sends a message by the system code to the code in the VM. The system then sends a first response by the code in the VM to the system code; and sends a second response by the system code to the native code, where each one of the native code, the system code, and the code in the VM implements wait and notify functionality for communication with other codes that implement the application.