HK1167532B - System and method for handling data transfers - Google Patents
System and method for handling data transfers Download PDFInfo
- Publication number
- HK1167532B HK1167532B HK12107976.9A HK12107976A HK1167532B HK 1167532 B HK1167532 B HK 1167532B HK 12107976 A HK12107976 A HK 12107976A HK 1167532 B HK1167532 B HK 1167532B
- Authority
- HK
- Hong Kong
- Prior art keywords
- data
- mobile device
- data transfer
- location
- network
- Prior art date
Links
Abstract
A system, method, and apparatus for managing data transfers between a secure location and a less secure location based on data transfer settings established by an administrator and according to security related aspects and business policy requirements are presented. A data transfer checker apparatus stored and operating on a wireless mobile device retrieves data transfer settings to determine if requested data to be transferred from a first location to a second location is to be performed.
Description
The present application is a divisional application of the chinese patent application entitled "system and method for processing data transmission" filed on 29/4/2005 with application number 200580013730.4.
Technical Field
The present invention relates generally to the field of communications, and more particularly to the handling of data transmissions involving mobile wireless communications devices.
Background
Some companies and governments have different types of networks based on different levels of security. Some networks are more secure than others and provide an additional level of security and different processes for using the network. This concerns the security of data to be moved between networks, in particular from a more secure network to a less secure network. Another problem is how to prevent malicious applications from siphoning (siphoning) data from inside the enterprise firewall to outside the firewall.
For example, the government may have a confidential network and a non-confidential network. A workstation on a confidential network may not even connect to a non-confidential network to explicitly prevent data siphoning. To prevent data siphoning between these networks for mobile communications, the government will configure two separate PDAs for each employee using both networks. This is an expensive process.
As another example, an organization may wish to configure its employees with handheld devices that connect to the employee's enterprise's network and the employee's personal (home) email account. Siphoning data between an employee's enterprise secure network and the employee's personal account is detrimental to the employee.
Disclosure of Invention
In accordance with the teachings disclosed herein, systems and methods are provided for managing data transmissions between a secure location and a less secure location. As an example of the systems and methods, a data transfer verifier operating on a mobile device determines whether to allow a data transfer attempt between two locations. If not, the data transfer is blocked and the user may be notified that the data transfer is blocked.
As another example of the described systems and methods, the systems and methods can receive a data transfer request to transfer data from a first location to a second location, where the first location is more secure than the second location. Data transfer settings are retrieved from the data store in response to receiving the data transfer request. The data transfer setting indicates whether the data transfer occurred based on a security-related aspect associated with the data transfer. The data transfer settings are used to determine whether to transfer data from the first location to the second location based on the data transfer settings. Data is transmitted in response to the determining step.
The systems and methods may be configured to take into account one or more different data transfer security-related aspects, such as a security level associated with a destination of the data transfer. As other examples, the security-related aspect can include a type of communication operation to be performed between the first location and the second location, such as a type of communication that occurred. The types of data transfer operations may include data forwarding between service books, open internal and external connections, interprocess communication (IPC) between applications, and/or cut-copy-paste type operations between applications.
It is to be understood that the systems and methods described herein are capable of many different embodiments and of being modified in various respects.
Drawings
Fig. 1 is an overview of an example communication system in which a wireless communication device may be used.
Fig. 2 is a block diagram of another example communication system including multiple networks and multiple mobile communication devices.
Fig. 3 and 4 are block diagrams illustrating management of data transfer between a secure location and a less secure location.
FIG. 5 is a block diagram illustrating an IT administrator providing data transfer settings to a mobile device.
Fig. 6 and 7 are flow charts showing data transfer operation schemes.
Fig. 8 is a block diagram illustrating a data transfer prevention feature in which data forwarding between service books is prevented.
Fig. 9 is a block diagram illustrating a data transfer prevention feature in which an application on a mobile device is not capable of cut/copy/paste operations.
FIG. 10 is a block diagram illustrating a data transfer prevention feature in which interprocess communication (IPC) is not possible between applications operating on a mobile device.
FIG. 11 is a block diagram of an example mobile device.
Detailed Description
Fig. 1 is an overview of an example communication system in which a wireless communication device may be used. Those skilled in the art will appreciate that there may be many different topologies, however the system shown in FIG. 1 is helpful in demonstrating the operation of the encoded message processing system and the methods described in this application. There may also be multiple message senders and receivers in the figure. The simple system shown in fig. 1 is for illustrative purposes only and shows perhaps the most prevalent internet email environment, where security measures are not typically used.
Fig. 1 shows an e-mail sender 10, the internet 20, a message server system 40, a wireless gateway 85, a wireless infrastructure 90, a wireless network 105 and a mobile communication device 100.
For example, the e-mail sender system 10 may be connected to an ISP (Internet service provider) on which the user of the system 10 has an account, located inside a company, may be connected to a Local Area Network (LAN), connected to the Internet 20, or connected to the Internet 20 through a large ASP (application service provider) such as America Online (AOL). Those skilled in the art will appreciate that although the transmission of e-mail is typically accomplished through an internet-connected arrangement as shown in fig. 1, the system shown in fig. 1 may instead be connected to a Wide Area Network (WAN) other than the internet.
For example, the message server 40 may be implemented on a network computer within an enterprise firewall or a computer within an ISP or ASP system, and serves as the primary interface for email exchanges on the Internet 20. A mobile device 100 configured to receive or send e-mail will typically be associated with an account on a message server, although other message systems may not require a message server system 40. Perhaps the two most common message servers are microsoft exchangeTMAnd Lotus dominoTM. These products are often used in connection with internet mail routers that route and deliver mail. These intermediate components are not shown in fig. 1 because they do not directly play a role in the secure message processing described below. Message servers such as server 40 typically extend outward, not only for the sending and receiving of e-mail; they also include a dynamic database memory engine with predefined database formats that can be used for calendars, to-do lists, task lists, for exampleData for tables, emails and files.
The wireless gateway 85 and infrastructure 90 provide a link between the internet 20 and wireless network 105. The wireless infrastructure 90 determines the most appropriate network for locating a given user and tracks the user as they roam between countries or networks. The message is then delivered to the mobile device 100 by wireless transmission, typically at Radio Frequency (RF), from a base station in the wireless network 105 to the mobile device 100. The particular network 105 may be any virtual wireless network over which messages may be exchanged with mobile communication devices.
As shown in fig. 1, an email sender 10 located somewhere on the internet 20 sends a composed email message 15. This message 15 is typically completely explicit and uses the conventional Simple Mail Transfer Protocol (SMTP), RFC822 headers and Multipurpose Internet Mail Extensions (MIME) body parts to define the format of the mail message. These techniques are well known to those skilled in the art. The message 15 arrives at the message server 40 and is typically stored in a message store. Many known messaging systems support a so-called "pull" message access scheme in which the mobile device 100 must request that stored messages be forwarded by the message server to the mobile device 100. Some systems provide for automatic routing of such messages addressed using a particular email address associated with the mobile device 100. In a preferred embodiment described in more detail below, messages addressed to a message server account associated with a host system, such as a home computer or office computer belonging to the user of the mobile device 100, are redirected from the message server 40 to the mobile device 100 as they are received.
Regardless of the particular means used to control the forwarding of the message to the mobile device 100, the message 15, or possibly a translated or reformatted version thereof, is sent to the wireless gateway 85. The wireless infrastructure 90 includes a series of connections to a wireless network 105. These connections may be Integrated Services Digital Networks (ISDN), frame relay, or T1 connections using TCP/IP protocols used throughout the internet. In thatThe term "wireless network" as used herein is intended to include three different types of networks, which are: (1) a data center wireless network; (2) a voice-centric wireless network; and (3) dual mode networks capable of supporting both voice and data communications on the same physical base station. Combined dual mode networks include, but are not limited to: (1) a Code Division Multiple Access (CDMA) network; (2) global system for mobile communications (GSM) and General Packet Radio Service (GPRS) networks; and (3) future 3 rd generation (3G) networks, such as enhanced data services (EDGE) and Universal Mobile Telecommunications System (UMTS). Some older examples of data center networks include MobitexTMWireless network and DataTACTMA wireless network. Older voice-centric data networks included Personal Communication Systems (PCS) networks such as GSM and TDMA systems.
Fig. 2 is a block diagram of another example communication system including multiple networks and multiple mobile communication devices. The system of fig. 2 is substantially similar to the system of fig. 1, but includes a host system 30, a redirection program 45, a mobile device holder 65, a wireless Virtual Private Network (VPN) router 75, an additional wireless network 110, and a plurality of mobile communication devices 100. Fig. 2 shows an overview of an example network topology, in conjunction with the description of fig. 1 above. Although the encoded message processing systems and methods described herein may be applied to networks having a number of different topologies, the network of FIG. 2 is helpful in understanding the automatic e-mail redirection system briefly described above.
The central host system 30 may typically be a corporate office and other LAN, but may also be a home office computer or some other private system, with messages being exchanged at the central host system 30. Within the host system 30 is a message server 40 running on some computer within the firewall of the host system, the message server 40 serving as the primary interface for the host system to exchange e-mail with the internet 20. In the system of fig. 2, the redirection program 45 enables redirection of data items from the server 40 to the mobile communication device 100. Although the redirection program 45 is shown to reside on the same machine as the message server 40 for ease of description, it need not necessarily reside on the message server. The redirection program 45 and the message server 40 are designed to cooperate and interact to allow pushing information to the mobile device 100. In this setting, the redirection program 45 takes confidential and non-confidential corporate information for a particular user and redirects it to the mobile device 100 through the corporate firewall. More detailed descriptions of the redirection software 45 can be found in U.S. Pat. No. 6,219,694 ("the' 694 patent") entitled "System and method for Pushing information and Mobile station Host System to electromagnetic data communication device HavingAShared electronic Address", issued on 4.17.2001 to the assignee of the instant application. This push technique may use wireless friendly encoding, compression and encryption techniques to deliver all information to the mobile device, effectively extending the security firewall to include each mobile device 100 associated with the host system 30.
As shown in fig. 2, there may be multiple selection paths to obtain information for mobile device 100. One method of loading a message onto the mobile device 100 is through the designated port 50 and using the device cradle 65. This approach would be useful for a large number of message updates that are often performed when the mobile device 100 is initialized with the host system 30 or a computer 35 within the system 30. The other major method of data exchange is to use a wireless network to deliver a wireless broadcast of information. As shown in fig. 2, this may be accomplished by connecting to the wireless gateway 85 and wireless infrastructure 90 through a wireless VPN router 75 or through a conventional internet connection 95, as described above. The concept of a wireless VPN router 75 is new in the wireless domain and means that a VPN connection can be established directly through a particular wireless network 110 to a mobile device 100. The possibility of using a wireless VPN router 75 has only recently become possible and can only be used when a new Internet Protocol (IP) version 6(IPV6) enters an IP-based wireless network. This new protocol will provide enough IP addresses to provide each mobile device 100 with an IP address so that information can be pushed to the mobile device 100 at any time. The main advantage of using a wireless VPN router 75 is that it can be an off-the-shelf VPN component, so that it does not require the use of a separate wireless gateway 85 and wireless infrastructure 90. The VPN connection may preferably be a Transmission Control Protocol (TCP)/IP or User Datagram Protocol (UDP)/IP connection that delivers messages directly to the mobile device 100. If the wireless VPN75 is not available, then the link 95 to the Internet 20 is the most common connection mechanism, as described above.
In the automatic redirection system of fig. 2, a composed email message 15 leaving from the email sender 10 arrives at the message server 40 and is redirected by the redirection program 45 to the mobile device 100. When this redirection occurs, the message 15 is re-encapsulated (as shown at 80), and then possibly proprietary compression and encryption algorithms may be applied to the original message 15. In this way, the security of the message read on the mobile device 100 is no less secure than the message read on the desktop workstation 35, for example, inside a firewall. All messages exchanged between the redirection program 45 and the mobile device 100 preferably use this message repackaging technique. Another purpose of the external encapsulation is to maintain addressing information in the original message except for the addresses of the sender and receiver. This allows the message reply to reach the appropriate destination, but also allows the "from" field to reflect the mobile user's desktop address. Using the email address from the user of the mobile device 100 allows the received message to appear as if the message was originally from the user's desktop system 35 rather than the mobile device 100.
Referring back to the connectivity of the port 50 and cradle 65 with the mobile device 100, this connection path provides many advantages for enabling one-time data exchange for large items. The most common data exchanged over such links is Personal Information Management (PIM) data 55, to those skilled in the art of Personal Digital Assistants (PDAs) and synchronization. When exchanged for the first time, this data will be large in size, even huge, and require a large bandwidth to load onto the mobile device 100, where it can be used on the path. This serial link may also be used for other purposes including establishing personal security keys 111 such as S/MIME, PGP specific personal keys, user' S certificate and its Certificate Revocation List (CRL) 60. The personal key is preferably exchanged so that the desktop 35 and the mobile device 100 share a personality and a method to access all mail. Certificates and CRLs are typically exchanged over such links as they represent a large amount of data required by the device for S/MIME, PGP and other public key security methods.
Fig. 3 illustrates a system in which a data transfer verifier 202 manages data transfers 230 between a secure location 220 and a less secure location 240 on a mobile device 100. The data transfer verifier 202 can be implemented on the mobile device 100 in the form of a software program, hardware, or firmware. Fig. 4 provides several examples of locations 220 and 240. For example, location 220 may be the highest secret or secure network and location 240 may be an unlimited network.
As another example, location 220 may be the first application that has received sensitive or confidential information. The data transfer checker 202 blocks attempts to transfer data from a first application to a second application because if the data is successfully transferred to the second application, the second application may be used to disseminate sensitive data to unsecured locations.
Fig. 5 shows an IT (information technology) administrator 250 (or an agent thereof) providing data transmission criteria or settings 252 to the mobile device 100. Settings 252 can indicate what data transfer 230 is allowed and which are not. The settings 252 can be stored in a data store 204 located on the mobile device 100, accessed by the data transfer verifier 202.
The IT manager 250 can specify data transfer settings 252 to one or more devices. The settings 252 may be provided to the mobile device 100 over a network (or other data connection means) to update the data store 204 on the mobile device 100. The mobile device 100 can be pre-programmed with settings and the mobile device 100 can be updated by the IT administrator 250 or the mobile device 100 can have initial settings provided by the IT administrator 250.
This provides, among other things, companies with the ability to customize data transfer settings to suit their needs. Also, the IT manager 250 can provide the same settings to all mobile devices in the company, thereby ensuring that the company's mobile devices conform to a consistent IT policy.
IT policies may be implemented on mobile devices in a variety of ways, such as by the methods described in the following U.S. patent application "systemand method of ownercontrolof electronic devices" (serial No. 10/732,132, filed 12/10 2003). This document shows how a user of a mobile device can prevent changing or erasing owner control information (e.g., data transfer settings 252) specified by the IT administrator 250.
Fig. 6 and 7 illustrate a data transfer operation scheme 300. At step 302 of the operating scenario, data transfer settings may be provided by an IT administrator to one or more mobile devices. A company's IT policy can specify that a number of different data transfer related features are enabled/disabled. For example, the data transfer settings can enable/disable the following security related aspects related to data transfer:
whether data forwarding between service books is allowed.
Whether to allow cut/copy/paste operations between applications.
Whether the application is blocked from opening internal and external connections.
Whether IPC (inter-process communication) between applications is allowed.
Using one or more of these features, a company can help ensure that its private data remains secure. At step 304, the data transfer settings are stored in one or more data stores located on the mobile device.
At step 306, in this operational scenario, an attempt occurs to transfer data from the first location to the second location. Step 310 retrieves data transfer settings, decision step 312 checks whether a data transfer should occur according to the data transfer settings, and then a data transfer occurs between the first location and the second location, for which case processing terminates at end block 320.
However, if decision step 312 determines that the data transfer is not allowed according to the settings, then decision step 316 determines whether to notify the user that the data transfer is not allowed. If the user is not notified (e.g., because the feedback message is not allowed because of the settings), processing for this operational scenario terminates at end block 320. If, however, decision block 316 determines to notify the user, then an indication is provided to the user that the data transfer is blocked at step 318. Processing for this operational scenario terminates at end block 320.
It will be appreciated that steps and the order of steps in the flowcharts described herein may be altered, modified and/or augmented similar to other process flows described herein while still achieving the desired results.
Fig. 8 illustrates the data transfer prevention feature mentioned above, wherein data transfer 410 between services (400, 420) is prevented. Typical services include corporate mail services, the user's personal email service, and instant messaging services. This data transfer prevention feature allows companies to prohibit inappropriate forwarding/replying between services. For example, if a user receives an email message via first service 400, the user cannot forward the message to another email account via second service 420 (e.g., the user's personal email account). Alternatively, a message 440 arriving through a source email server 430 must be replied to or forwarded through the same source email server 430 from which the message 440 arrived.
Fig. 9 illustrates the data transfer prevention feature mentioned above, wherein all or a designated application on the handheld mobile device 100 is not capable of performing the cut/copy/paste operation 510. For example, even if forwarding between applications or services is prohibited, certain users may copy messages from one application 500, compose new messages in a different application 520, and send messages through a different application 520. Disabling the cut/copy/paste operation makes it more difficult for the user to siphon data because the user will be forced to re-enter the complete message or data.
Fig. 10 illustrates the data transfer prevention feature mentioned above, in which inter-process communication (IPC)710 between applications (700, 720) operating on the mobile device 100 can be disabled. It is well known to those skilled in the art that an application may initiate one or more processes in order to accomplish certain tasks on the handheld mobile device 100. This data transfer prevention feature will prevent two malicious programs (700, 720) working together from siphoning data. For example, one application 700 will open a connection inside a firewall and another application 720 will open a connection outside the firewall. Then using IPC710 they will effectively siphon data between the two applications (700, 720). Disabling IPC between applications (700, 720) prevents this type of attack from occurring.
The data transfer prevention provided by the data transfer checker 202 will inadvertently disable IPC between an email program operating on the mobile device 100 and an address book. Thus, the company can additionally select which applications allow IPC to be used, as some applications (e.g., email programs and address books) may legally use IPC.
The systems and methods disclosed herein are presented by way of example only and are not meant to limit the scope of the present invention. Other variations of the systems and methods described above will be apparent to those skilled in the art and are considered to be within the scope of the invention. For example, the systems and methods disclosed herein may be used with a number of different computers and devices, such as the wireless mobile communication device shown in FIG. 11. Referring to fig. 11, the mobile device 100 is a dual-mode mobile device and includes a transceiver 811, a microprocessor 838, a display 822, non-volatile memory 824, Random Access Memory (RAM)826, one or more auxiliary input/output (I/O) devices 828, a serial port 830, a keyboard 832, a speaker 834, a microphone 836, a short-range wireless communications subsystem 840, and other device subsystems 842.
The transceiver 811 includes a receiver 812, a transmitter 814, antennas 816 and 818, one or more local oscillators 813, and a Digital Signal Processor (DSP) 820. Antennas 816 and 818 may be antenna elements of a multi-element antenna and are preferably embedded antennas. However, the systems and methods described herein are in no way limited to a particular type of antenna or wireless communication device.
The mobile device 100 is preferably a two-way communication device having voice and data communication capabilities. Thus, for example, the mobile device 100 may communicate over a voice network, such as any of the analog or digital cellular networks, as well as over a data network. The voice and data networks are illustrated in fig. 11 by a communication tower 819. These voice and data networks may be separate communication networks (e.g., base stations, network controllers, etc.) using separate infrastructure or may be integrated into a single wireless network.
The transceiver 811 is used for communicating with the network 819, and includes the receiver 812, the transmitter 814, the one or more local oscillators 813, and the DSP 820. The DSP820 is used to send and receive signals to and from the transceivers 816 and 818, and also provides control information to the receiver 812 and the transmitter 814. If voice and data communications occur at a single frequency or over a set of frequencies in close space, a single local oscillator may be used in conjunction with receiver 812 and transmitter 814. Alternatively, multiple local oscillators 813 can be used to generate multiple frequencies corresponding to the voice and data networks 819, for example if different frequencies are utilized for voice and data communications. Information, including both voice and data information, is transferred to and from the transceiver 811 via a link between the DSP820 and the microprocessor 838.
The detailed design of the transceiver 811, such as frequency band, component selection, power level, etc., will depend on the communication network 819 in which the mobile device 100 is intended to operate. For example, a mobile device 100 that is to operate in a north american market may include a transceiver 811, the transceiver 811 designed to operate with any one of a number of voice communication networks (e.g., the Mobitex or DataTAC mobile data communication networks, AMPS, TDMA, CDMA, PCS, etc.); while a mobile device 100 to be used in europe may be configured to operate with a GPRS data communication network and a GSM voice communication network. Other types of data and voice networks, both separate and integrated, may also be utilized by the mobile device 100.
The access requirements of the mobile device 100 may vary depending on the type of network or networks 819. For example, in the Mobitex and DataTAC data networks, mobile devices are registered on the network using a unique identification number associated with each mobile device. In GPRS data networks, however, network access is associated with a subscriber or user of a mobile device. GPRS devices typically require a subscriber identity module ("SIM") in order to operate the mobile device on a GPRS network. Local or non-network communication functions (if any) may be operable, without the SIM device, but the mobile device will be unable to carry out any functions involving communications over the data network 819, other than any legally required operations, such as '911' emergency calling.
After any necessary network registration or activation procedures have been completed, the mobile device 100 may send and receive communication signals, including both voice and data signals, over the networks 819. Signals received by the antenna 816 from the communication network 819 are routed to the receiver 812, which receiver 812 provides for signal amplification, frequency down conversion, filtering, channel selection, etc., and may also provide analog to digital conversion. Analog-to-digital conversion of the received signal allows more complex communication functions, such as signal demodulation and decoding, to be performed using the DSP 820. Similarly, signals to be transmitted to the network 819 are processed, including modulation and encoding for example, by the DSP820 and are then provided to the transmitter 814 for digital to analog conversion, frequency up conversion, filtering, amplification and transmission to the communication network 819 via the antenna 818.
In addition to processing communication signals, the DSP820 also provides for transceiver control. For example, the gain levels applied to communication signals in the receiver 812 and transmitter 814 may be adaptively controlled through automatic gain control algorithms implemented in the DSP 820. Other transceiver control algorithms could also be implemented in the DSP820 in order to provide more sophisticated control of the transceiver 811.
The microprocessor 838 preferably manages and controls the overall operation of the mobile device 100. Many types of microprocessors or microcontrollers could be used here, or alternatively a single DSP820 could be used to carry out the functions of the microprocessor 838. Low-level communication functions, including at least data and voice communications, are performed through the DSP820 in the transceiver 811. In addition, high-level communication applications, such as voice communication application 824A and data communication application 824B, may be stored in the non-volatile memory 824 for execution by the microprocessor 838. For example, the voice communication module 824A may provide a high-level user interface operable to send and receive voice calls between the mobile device 100 and a plurality of other voice or dual-mode devices via the network 819. Similarly, the data communication module 824B may provide a high-level user interface operable to send and receive data, such as e-mail messages, files, organizer information, short text messages, etc., between the mobile device 100 and a plurality of other data devices via the network 819.
Microprocessor 838 also interacts with further device subsystems such as the display 822, RAM826, auxiliary input/output (I/O) subsystems 828, serial port 830, keyboard 832, speaker 834, microphone 836, a short-range communications subsystem 840, and any other device subsystems generally designated as 842.
Some of the subsystems shown in fig. 11 perform communication-related functions, whereas other subsystems may provide "resident" or on-device functions. In particular, some subsystems, such as keyboard 832 and display 822 may be used for both communication-related functions, such as entering a text message for transmission over a data communication network, and device-resident functions such as a calculator or task list or other PDA type functions.
Operating system software used by the microprocessor 838 is preferably stored in a persistent store such as the non-volatile memory 824. The non-volatile memory 824 can be implemented as, for example, a Flash memory component or a battery backed-up RAM. In addition to the operating system, which controls low-level functions of the mobile device 810, the non-volatile memory 824 includes a plurality of software modules 824A-824N that can be executed by the microprocessor 838 (and/or the DSP820), including a voice communication module 824A, a data communication module 824B, and a plurality of other operating modules 824 for performing a plurality of other functions. These modules are executed by the microprocessor 838 and provide a high-level interface between the user and the mobile device 100. This interface typically includes a graphics component provided by the display 822 and an input/output component provided by the auxiliary I/O828, keyboard 832, speaker 834, and microphone 836. The operating system, specific device applications or modules, or parts thereof, may be temporarily loaded into a volatile store, such as RAM826 for faster operation. In addition, received communication signals may also be temporarily stored to RAM826, before being permanently written to a file system located in a persistent store such as Flash memory 824.
An exemplary application module 824N that may be loaded onto the mobile device 100 is a Personal Information Manager (PIM) application providing PDA functionality, such as scheduling, appointments, and task items. This module 824N may also interact with the voice communication module 824A to manage phone calls, voice mails, etc., and may interact with the data communication module to manage e-mail communications and other data transmissions. Alternatively, all of the functionality of the voice communication module 824A and the data communication module 824B may be integrated into the PIM module.
The non-volatile memory 824 preferably also provides a file system to facilitate storage of PIM data items on the device. The PIM application preferably includes the ability to send and receive data items, either by itself, or in conjunction with the voice and data communication modules 824A, 824B, via the wireless networks 819. The PIM data items are preferably seamlessly integrated, synchronized and updated, via the wireless networks 819, with a corresponding set of data items stored or associated with a host computer system, thereby creating a mirrored system for data items associated with a particular user.
Context objects representing at least partially decoded data items and fully decoded data items are preferably stored in volatile and non-persistent memory (e.g., RAM826) in mobile device 100. Such information may instead be stored in the non-volatile memory 824, for example, when the storage interval is relatively short such that the information is removed from memory shortly after storage. However, this information is preferably stored in the RAM826 or another volatile and non-persistent store, which has ensured that the information is erased from memory when the mobile device 100 loses power. This prevents an unauthorized party from obtaining any stored decoded or partially decoded information by removing the memory chip from the mobile device 100, for example.
The mobile device 100 may be manually synchronized with the host system by placing the device 100 in an interface cradle that connects the serial port 830 of the mobile device 100 with the serial port of the device behind the computer system. The serial port 830 may also be used to enable a user to set preferences through an external device or software application or to download other application modules 824N for installation. This wired download path may be used to load encryption keys onto the device, which is a more secure method than exchanging encryption information over the wireless network 819. Interfaces for other wired download paths may be provided in the mobile device 100 in addition to or in place of the serial port 830. For example, a USB port may provide an interface to a similarly equipped personal computer.
Additional application modules 824N may be loaded onto the mobile device 100 through the network 819, an auxiliary I/O subsystem 828, serial port 830, short-range communications subsystem 840, or any other suitable subsystem 842, and installed by a user in the non-volatile memory 824 or RAM 826. Such flexibility in application installation increases the functionality of mobile device 100 and may provide enhanced on-device functions, communication-related functions, or both. For example, secure communication applications may enable electronic commerce functions and other such financial transactions to be performed using the mobile device 100.
When the mobile device 100 is operating in a data communication mode, received signals, such as text messages and web page downloads, are processed by the transceiver module 811 and provided to the microprocessor 838, which microprocessor 838 preferably also performs the above-described multiple stages of processing on the received signals for output to the display 822, or alternatively to the auxiliary I/O device 828. A user of the mobile device 100 may also compose data items, such as e-mail messages, using the keyboard 832. The keyboard 832 is preferably a complete alphanumeric keyboard arranged in a QWERTY style, but other types of complete alphanumeric keyboards, such as the well-known DVORA style, may be used. User input to the mobile device 100 is further enhanced by a plurality of auxiliary I/O devices 828, which plurality of auxiliary I/O devices 828 may include a thumbwheel input device, a touchpad, various switches, a rocker input switch, and the like. The combined data items input by the user may be transmitted over the communication network 819 through the transceiver module 811.
When mobile device 100 is operating in a voice communication mode, all operation of mobile device 100 is substantially similar to that in data mode, except that received signals are preferably output to a speaker 834 and voice signals to be transmitted are generated by a microphone 836. Alternative voice or audio I/O subsystems, such as a voice message recording subsystem, may also be implemented on the mobile device 100. Although voice or audio signal output is preferably accomplished primarily through the speaker 834, the display 822 may also be used to provide an indication of the identity of a calling party, the duration of a voice call, or voice call related information. For example, the microprocessor 838, in conjunction with the voice communication module and operating system software, may detect caller identification information of an incoming voice call and display it on the display 822.
A short-range communications subsystem 840 is also included in the mobile device 100. Subsystem 840 may include an infrared device and associated circuits and components, or Bluetooth, for exampleTMA module or a short-range RF communication module of an 802.11 module to provide for communication with similarly capable systems and devices. Those skilled in the art will appreciate that "Bluetooth" and "802.11" refer to the available sets of specifications from the institute of electrical and electronics engineers for wireless personal area networks and wireless local area networks, respectively.
Data for the systems and methods may be stored in one or more data stores. The data storage may be a variety of different types of storage devices and programming constructs such as RAM, ROM, Flash memory, programmed data structures, programmed variables, etc. It is noted that data structures describe the format used to organize and store data in a database, program, memory, or other computer-readable medium for use by a computer program.
The systems and methods may be provided on a variety of different types of computer-readable media including computer storage devices (e.g., CD-ROM, floppy disks, RAM, flash memory, computer hard disks, etc.) that contain instructions for use by a processor to perform the operations of the methods and implement the systems described herein.
The computer components, software modules, functions and data structures described herein may be connected directly or indirectly to each other in order to allow the flow of data required for their operation. It is further noted that a module or processor includes, but is not limited to, a code unit that performs software operations, and can be implemented as code, e.g., a subroutine unit, a software function unit of code, an object (in an object-oriented paradigm), a Java program, a computer script language, or a different type of computer code. The software components and/or functionality may be located on a single computing device or distributed across multiple computing devices depending on the current situation.
Claims (6)
1. A method of processing data transmissions on a mobile wireless communications device, comprising:
receiving, from a first application at a first location, a request to perform at least one of copying data, cutting data, or pasting data from a second application at a second location, the first and second applications both running on the mobile wireless communications device;
in response to receiving the request, retrieving one or more data transfer settings from a data store on the device, wherein the one or more data transfer settings indicate a security-related data transfer policy that indicates whether copying, cutting, or pasting data is allowed; and
determining whether to allow or disallow copying, cutting, or pasting data based on the one or more data transfer settings.
2. The method of claim 1, wherein the determining comprises using a security level associated with the first location and using a security level associated with the second location.
3. The method of claim 1, further comprising:
the one or more data transmission settings are received from a server via a wireless network.
4. An apparatus that handles data transmissions on a mobile wireless communications device, comprising:
means for receiving, from a first application at a first location, a request to perform at least one of copying data, cutting data, or pasting data from a second application at a second location, the first and second applications both running on the mobile wireless communications device;
means for retrieving one or more data transfer settings from a data store on the device in response to receiving the request, wherein the one or more data transfer settings indicate a security-related data transfer policy that indicates whether copying, cutting, or pasting data is allowed; and
means for determining whether to allow or disallow copying, cutting, or pasting data based on the one or more data transfer settings.
5. The apparatus of claim 4, wherein the means for determining comprises means for using a security level associated with the first location and using a security level associated with the second location.
6. The apparatus of claim 4, further comprising:
means for receiving the one or more data transmission settings from a server via a wireless network.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US56729304P | 2004-04-30 | 2004-04-30 | |
| US60/567,293 | 2004-04-30 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1167532A1 HK1167532A1 (en) | 2012-11-30 |
| HK1167532B true HK1167532B (en) | 2016-11-04 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| USRE49721E1 (en) | System and method for handling data transfers | |
| US10484870B2 (en) | System and method for handling peripheral connections to mobile devices | |
| US7707639B2 (en) | System and method for handling restoration operations on mobile devices | |
| US8074066B2 (en) | System and method for sending secure messages | |
| US8442234B2 (en) | System and method for obtaining certificate status of subkeys | |
| US9148448B2 (en) | System and method for configuring devices for secure operations | |
| CN1997974B (en) | Content Protection Ticket System and Method | |
| HK1167532B (en) | System and method for handling data transfers | |
| AU2012203391B2 (en) | System and method for handling data transfers | |
| HK1099864B (en) | System and method for filtering data transfers within a mobile device | |
| HK1100788B (en) | Method and apparatus for handling peripheral connections to mobile devices |