公开(公告)号：US11017109B1

公开(公告)日：2021-05-25

申请号：US16404538

申请日：2019-05-06

Applicant: Apple Inc.

Inventor： Kelly B. Yancey ,  Richard J. Cooper ,  Richard L. Hagy ,  Pierre-Olivier Martel ,  David P. Remahl ,  Jonathan A. Zdziarski

IPC: G06F21/62 ,  G06N20/00 ,  G06F16/16

Abstract: Embodiments described herein provide techniques to limit programmatic access to privacy related user data and system resources for applications that execute outside of a sandbox or other restricted operating environment while enabling a user to grant additional access to those applications via prompts presented to the user via a graphical interface. In a further embodiment, techniques are applied to limit the frequency in which a user is prompted by learning the types of files or resources to which a user is likely to permit or deny access.

公开(公告)号：US20160125194A1

公开(公告)日：2016-05-05

申请号：US14871212

申请日：2015-09-30

Applicant: Apple Inc.

Inventor： Kevin J. Van Vechten ,  Damien Pascal Sorresso ,  Richard L. Hagy ,  Ivan Krstic

IPC: G06F21/62 ,  G06F9/54

CPC classification number: G06F21/629 ,  G06F9/44521 ,  G06F9/468 ,  G06F9/541 ,  G06F9/542 ,  G06F21/52

Abstract: When an application is launched, a framework scanning module scans a plurality of frameworks linked against by the application to generate a list of available services. When the application makes a request of a particular service, a service verification module compares the requested service to the list of available services and if the requested service is found in the list of available services, sends a signal to the application, the signal allowing access to the requested service for the application. Otherwise, access to the requested service is denied.

Abstract translation: 当启动应用程序时，框架扫描模块扫描由应用程序链接的多个框架以生成可用服务的列表。 当应用程序请求特定服务时，服务验证模块将所请求的服务与可用服务的列表进行比较，并且如果在可用服务的列表中找到所请求的服务，则向应用发送信号，允许访问的信号 到应用程序的请求服务。 否则，拒绝对请求的服务的访问。

公开(公告)号：US20130283344A1

公开(公告)日：2013-10-24

申请号：US13922188

申请日：2013-06-19

Applicant: Apple Inc.

Inventor： Ivan Krstic ,  Austin G. Jennings ,  Richard L. Hagy

IPC: G06F21/10

CPC classification number: G06F21/6281 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/629 ,  G06F2221/033 ,  G06F2221/0735

Abstract: In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

Abstract translation: 响应于启动程序的请求，确定在程序执行期间由程序访问的一个或多个应用程序框架的列表。 确定在执行期间表示由程序授权的一个或多个资源的零个或多个授权。 从应用程序框架中的至少一个获得基于程序的权利的一组或多个规则。 所述一个或多个规则的集合指定与所述至少一个应用框架相关联的资源的一个或多个约束。 基于与所述至少一个应用框架相关联的一个或多个规则的集合，为所述程序动态地编译安全简档。 编译的安全简档用于在程序执行期间限制程序访问至少一个应用程序框架的至少一个资源。

公开(公告)号：US20210397728A1

公开(公告)日：2021-12-23

申请号：US16906593

申请日：2020-06-19

Applicant: Apple Inc.

Inventor： Gavin B. Thomson ,  Richard L. Hagy ,  Patrick Coffman

IPC: G06F21/62 ,  G06F16/23 ,  G06F16/54 ,  G06F3/0482 ,  H04L29/08

Abstract: This disclosure relates to systems, methods, and computer-readable media for identifying an asset privacy management trigger on an end-user device related to a third-party application. In response to identifying the asset privacy management trigger, a privacy selection interface to enable a user to select a limited asset access option is displayed. In response to the limited asset access option being selected, an asset selection interface is displayed, where the asset selection interface is configured to define a sub-set of assets of the end-user device as authorized for the third-party application based on user selection. In response to a subsequent request to access assets of the end-user device by the third-party application, the third-party application is able to access only the defined sub-set of assets. For different third-party applications or scenarios, the asset privacy management triggers and asset sub-set definitions may vary.

公开(公告)号：US20210397647A1

公开(公告)日：2021-12-23

申请号：US17183071

申请日：2021-02-23

Applicant: Apple Inc.

Inventor： Matthew J. Dickoff ,  Jessica Aranda ,  Patrick Coffman ,  Richard L. Hagy ,  Stephen J. Rhee ,  Nicole R. Ryan ,  Adam C. Swift ,  Gavin B. Thomson ,  Brandon J. Van Ryswyk

IPC: G06F16/54 ,  G06F16/535 ,  G06F3/0482

Abstract: Described herein are techniques to enable limited access to a photos library by enabling application specific virtual photo libraries. When an application requests access to the photos library, the user can select an option to enable or configure a virtual photos library, and then select specific assets (e.g., photos, videos) within the photos library to be selected for inclusion into an application specific virtual photos library.

公开(公告)号：US20160321471A1

公开(公告)日：2016-11-03

申请号：US15060837

申请日：2016-03-04

Applicant: Apple Inc.

Inventor： Ivan Krstic ,  Austin G. Jennings ,  Richard L. Hagy

IPC: G06F21/62 ,  G06F21/10 ,  G06F21/51

CPC classification number: G06F21/6281 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/629 ,  G06F2221/033 ,  G06F2221/0735

Abstract: In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

公开(公告)号：US11487890B2

公开(公告)日：2022-11-01

申请号：US16906593

申请日：2020-06-19

Applicant: Apple Inc.

Inventor： Gavin B. Thomson ,  Richard L. Hagy ,  Patrick Coffman

IPC: G06F21/62 ,  G06F16/23 ,  G06F16/54 ,  G06F3/0482 ,  H04L67/53 ,  G06Q50/00

Abstract: This disclosure relates to systems, methods, and computer-readable media for identifying an asset privacy management trigger on an end-user device related to a third-party application. In response to identifying the asset privacy management trigger, a privacy selection interface to enable a user to select a limited asset access option is displayed. In response to the limited asset access option being selected, an asset selection interface is displayed, where the asset selection interface is configured to define a sub-set of assets of the end-user device as authorized for the third-party application based on user selection. In response to a subsequent request to access assets of the end-user device by the third-party application, the third-party application is able to access only the defined sub-set of assets. For different third-party applications or scenarios, the asset privacy management triggers and asset sub-set definitions may vary.

公开(公告)号：US11055438B2

公开(公告)日：2021-07-06

申请号：US15060837

申请日：2016-03-04

Applicant: Apple Inc.

Inventor： Ivan Krstic ,  Austin G. Jennings ,  Richard L. Hagy

IPC: G06F9/46 ,  G06F21/62 ,  G06F21/51 ,  G06F21/53 ,  G06F21/10

Abstract: In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

公开(公告)号：US10019598B2

公开(公告)日：2018-07-10

申请号：US14871212

申请日：2015-09-30

Applicant: Apple Inc.

Inventor： Kevin J. Van Vechten ,  Damien Pascal Sorresso ,  Richard L. Hagy ,  Ivan Krstic

IPC: G06F21/52 ,  G06F21/62 ,  G06F9/46 ,  G06F9/445 ,  G06F9/54

CPC classification number: G06F21/629 ,  G06F9/44521 ,  G06F9/468 ,  G06F9/541 ,  G06F9/542 ,  G06F21/52

Abstract: When an application is launched, a framework scanning module scans a plurality of frameworks linked against by the application to generate a list of available services. When the application makes a request of a particular service, a service verification module compares the requested service to the list of available services and if the requested service is found in the list of available services, sends a signal to the application, the signal allowing access to the requested service for the application. Otherwise, access to the requested service is denied.

公开(公告)号：US20180012017A1

公开(公告)日：2018-01-11

申请号：US15663432

申请日：2017-07-28

Applicant: Apple Inc.

Inventor： Pierre-Olivier J. Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F21/53 ,  G06F21/62

CPC classification number: G06F21/53 ,  G06F21/6218 ,  G06F2221/03 ,  G06F2221/034

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.