Abstract: A network connection between an app on a mobile device and a remote server is either enabled or denied based on whether a security wrapped app can verify that the connection is with a known and trusted server. The wrapped app uses a socket interception layer injected into the app code along with a trust store, also part of the wrapped app to determine whether a network connection attempted by the app should be allowed. The layer buffers relevant function calls from the app by intercepting them before they reach the device operating system. If the layer determines that a network connection is attempted, then it snoops the negotiation phase data stream to discern when the server sends a certificate to the app. It obtains this certificate and compares it to data in the trust store and makes a determination of whether the server is known and trusted.

Abstract: An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module.

Abstract: A network connection between an app on a mobile device and a remote server is either enabled or denied based on whether a security wrapped app can verify that the connection is with a known and trusted server. The wrapped app uses a socket interception layer injected into the app code along with a trust store, also part of the wrapped app to determine whether a network connection attempted by the app should be allowed. The layer buffers relevant function calls from the app by intercepting them before they reach the device operating system. If the layer determines that a network connection is attempted, then it snoops the negotiation phase data stream to discern when the server sends a certificate to the app. It obtains this certificate and compares it to data in the trust store and makes a determination of whether the server is known and trusted.

Abstract: An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module.