 system and method to avoid malware attached to a server
专利摘要:
SYSTEM AND METHOD FOR AVOIDING MALWARE COUPLED TO A SERVER. The present invention relates to a system and method suitable to prevent malicious software, spyware or other unwanted applications from affecting mobile communication devices (for example, smartphones, netbooks and tablets). In accordance with the present invention, a mobile communication device uses a server to help identify and eliminate unwanted applications. When verifying an application, a device transmits information related to the application to a server for analysis. The server receives the data, performs an evaluation of the application and forwards this evaluation to the device. By performing the analysis on a server, the present invention allows a device to reduce battery consumption and the operating costs necessary to protect the device against unwanted applications. Servers send notifications to devices that have applications installed that are considered undesirable. The server receives application-related data from many devices, then uses the combined data to minimize false positive values and provides comprehensive protection against known and unknown threats. 公开号:BR112013004345B1 申请号:R112013004345-8 申请日:2011-08-25 公开日:2020-12-08 发明作者:Kevin Patrick Mahaffey;James David Burgess;David Golombek;Anthony Mckay Lineberry;Kyle Barton;David Luke Richardson;John G. Hering;Jonathan Pantera Grubb;Timothy Micheal Wyatt;Daniel Lee Evans;Ariel Salomon 申请人:Lookout, Inc.; IPC主号:
专利说明:
BACKGROUND OF THE INVENTION This disclosure refers in general to security in mobile communication, and specifically, the detection and prevention of data that negatively affect a mobile communication device or a set of mobile communication devices. Current mobile communication devices, such as cell phones, smartphones, wireless enabled personal data devices, tablet PCs, netbooks and the like, are becoming more common, as platforms for various software applications. A mobile device user now has more freedom to choose and install different software applications, thus being able to personalize his mobile device. However, because there are many positive software applications available on the market, the ability to interact with, install and operate third party software inevitably leaves mobile communication devices susceptible to vulnerabilities from malware and other harmful software applications. Unlike personal computers and other less portable computing devices that can install and run antivirus to protect themselves from harmful software, mobile communication devices do not have the power to effectively process or execute the resources of such software. Third-party applications that provide rudimentary scanning functions on a mobile communication device have been developed, however, these applications are often specific devices, operating systems, or applications. As such, a single system independent of the universal platform to efficiently monitor, scan, repair and protect mobile communication devices does not exist. It would be desirable to provide such a system that works on any mobile communication device, that is independent hardware and software, and that can be continuously updated to provide constant protection in real time. In addition, it would be desirable to provide an adaptable system that can act and react to the demands and changes that affect a variety of mobile communication devices, thereby providing protection against intelligent malware. A common feature for many mobile communication devices is the fact that they are constantly connected to a network. However, despite this common connection, it is difficult to fully protect mobile communication devices at the mobile network level, as the devices can connect to other networks and use encrypted services, which often do not use network-level protection. Rather than relying solely on the processing and memory resources of each of the mobile communication devices on the network, it would be desirable to provide a system that protects mobile communication devices from a distance, providing malware prevention and scanning measures for multiple devices without the overhead of such measures that are performed locally on each device. One of the issues that make it difficult to protect mobile communication devices from unwanted applications is the different types of data and applications that are available for such devices. Although server providers are able to manage network traffic when providing applications, there is currently no way to effectively control the behavior of these applications after they have been installed on the user's mobile device. On the other hand, it is difficult to identify new malicious applications previously unknown for their behavior and to control and prevent the spread or dissemination of harmful applications and data, once they have been released to the network. It would be desirable to provide a system that can actively monitor a group of mobile communication devices, in order to collect data on the installation and behavior of applications on mobile communication devices. Once this system is in place, it would be desirable to use the data and information obtained about the applications of mobile communication devices to help users make more educated decisions about the applications they choose to run on their mobile communication devices and allow network administrators and operators to take preventive measures to further protect the two individual devices and the network as a whole. It would also be desirable to develop a way to collect data anonymously on the behaviors and activities of mobile communication devices and to promote the development of safer mobile applications. BRIEF DESCRIPTION OF THE FIGURES This disclosure is illustrated by way of example and not by limiting the figures in the accompanying drawings, where similar references indicate similar elements, and in which: Figure 1 is an example block diagram that describes a mode of disclosure. Figure 2 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 3 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 4 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 5 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 6 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 7 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 8 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 9 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 10 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 11 is a flow chart that illustrates the exemplary steps of a disclosure modality. Figure 12 is a flow chart that illustrates the exemplary steps of a disclosure modality. DETAILED DESCRIPTION This disclosure is directed towards a system and methods for using a server to provide protection and removal of unwanted applications or other data objects that may affect a mobile communication device or a plurality of mobile communication devices, regardless of the make or model mobile communication devices, mobile communications network, or software applications present on the mobile communication device. As used here, all services associated with the identification, analysis and removal of potentially unwanted applications or other data objects, as well as the protection of the mobile communication device are described under the term "security" without limitation. Thus, one embodiment of this description is aimed at providing security for a plurality of mobile communication devices, such as a plurality of mobile communication devices for a group of employees, or a plurality of mobile communication devices that access a given network. One form of this disclosure is aimed at securely collecting information about applications on mobile communication devices without overloading individual mobile communication devices or the mobile network and using information about applications to protect mobile communication devices. One mode of this description is to use information obtained from mobile communication devices to generate information from the device or user that can be used to develop future products or services for mobile communication devices. It will be appreciated that one embodiment of the present description can be implemented in several ways, including as a process, an apparatus, a system, a device, a method, a computer-readable medium, such as a computer-readable storage medium containing readable instructions by computer, or computer program code, or as a computer program product comprising a usable computer medium with a computer-readable program code incorporated therein. It will be appreciated that the mobile communication device described herein can include any computer or computing device that runs an operating system for use on portable or mobile devices, such as smartphones, PDAs, tablets, cell phones and the like. For example, a mobile communication device can include devices such as the Apple iPhone®, Apple iPad®, Palm Pre ™, or any device that runs Apple ™, Android ™, Google Chrome, Symbian®, Windows Mobile® operating systems, Palm® or Palm Web ™. As used herein, the mobile communication device can also be referred to as a mobile device, a mobile client, or simply, as a device or a client. In the context of this document, a computer-usable or computer-readable medium can be any medium that can contain or store the program to be used by the instruction execution system or that is in connection with the apparatus or device. For example, the computer-readable storage medium or the computer-used medium may be, but is not limited to, random access memory (RAM), read-only memory (ROM), or persistent storage, such as a mass storage device, hard disk, CDROM, DVDROM, tape, programmable and erasable read-only memory (EPROM or flash memory), or any other magnetic, electromagnetic, infrared, optical or electrical system, devices or devices for storing information . Alternatively or additionally, the computer-readable storage medium or computer-usable medium can be any combination of these devices, or even of paper or other appropriate medium on which the program code is printed, as the program code can be captured electronically, for example. means of, for example, optical scanning of the paper or other means, then compiled, interpreted or otherwise processed appropriately, if necessary, and then stored in a computer's memory. Applications, software programs or component instructions, modules, data objects or data items. Applications can be connected or encoded in hardware or take the form of software running on a general-purpose computer, such that when the software is loaded and / or executed by the computer, the computer becomes a device that performs the dissemination. The applications can also be downloaded in whole or in part through the use of a software development kit, or set of tools that allows the creation and application of a type of dissemination. In the present specification, these implementations, or any other form that a form of disclosure may take, can be referred to as techniques. In general, the order of the steps of the described processes can be changed within the scope of the disclosure. As mentioned earlier, security services can be provided to one or more mobile communication devices by a server or a group of servers that work together. There are many possible avenues in which multiple servers can operate together to provide security services, without departing from the scope of the present invention. One embodiment of this system is shown in figure 1, in which one or more servers 151 communicate with one or more mobile communication devices 101 over the wireless Internet, cellular or other network 121. As mentioned above, mobile communication device 101 can also be referred to as a "mobile client device", "client device", "device", or "client", and can be referred to in the singular or plural. One or more servers 151 may have access to a data storage device 111, which stores security information for one or more mobile communication devices 101. Data, assessment information, information about mobile communication devices 101, or others Storage objects can be stored on servers 151 and / or data store 111. Servers 151 or data store 111 can be one or more, or they can be physical or virtualized. Data store 111 can be a database, data table, data structure, file system or other memory storage. Data store 111 can be hosted on any one or more servers 151, or it can exist externally from one or more servers 151, as long as one or more servers 151 have access to storage data 111. In one embodiment, data store 111 is an external service provided by a third party, such as Simple Storage Service (S3) or other products provided by Amazon Web Services, LLC. It will be appreciated that the configuration of the system illustrated in figure 1 is not limiting, and merely exemplary, and that other configurations are possible, without departing from the present disclosure. It will be appreciated that the communication between the mobile communication device 101 and server 151 can utilize a variety of network protocols and security measures. In one embodiment, server 151 functions as an HTTP server, and device 101 functions as an HTTP client. To protect data in transit, mobile communication device 101 and server 151 can use Transaction Layer Security ("TLS"). In addition, to ensure that mobile communication device 101 has the authority to access server 151, and / or to verify the identity of mobile communication device 101, device 101 may send one or more identifiers or authentication credentials to the server 151. For example, authentication credentials can include a user name and password, device-specific credentials, or any other data that identifies mobile communication device 101 for server 151. Authentication can allow server 151 to store specific information of the mobile communication device 101 or an account associated with a mobile communication device 101, to provide personalized services for the device 101, and maintain a persistent view of the security status of the mobile communication device 101. In order to provide security services for the mobile communication device 101, a person skilled in the art will appreciate that the mobile communication device 101 will transmit certain data to server 151. As will be discussed in more detail below, server 151 analyzes that data and provides a safety assessment related to the response, and / or other action. The following describes the types of data transmitted from the mobile communication device 101 to the server 151, the analysis performed by the server 151, and the measures taken with or by the mobile communication device 101. It will be appreciated that one embodiment of the present disclosure can exist independently on the mobile communications device 101, or can be incorporated into an existing security system residing on the mobile communications device, such as that described in U.S. Patent Application No. 12 / 255,614, entitled "SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS", filed on October 21, 2008, and incorporated here in its entirety. A person skilled in the art will also appreciate that, to implement a modality of the present description on a variety of mobile communication device platforms, it may be necessary to incorporate a multiplatform system such as that disclosed in American Patent Application No. 12 / 255,626, entitled "SYSTEM AND METHOD FOR A MOBILE CROSS PLATFORM SOFTWARE SYSTEM", filed on October 21, 2008, and incorporated here in its entirety. In addition, as discussed below, aspects of the present disclosure can be used to determine a security status for a mobile communications device 101, as described in U.S. Patent Application No. 12 / 255,632, entitled "SECURE MOBILE PLATFORM SYSTEM ", deposited on October 21, 2008, and incorporated here in its entirety. A person skilled in the art will appreciate that mobile communication devices are exposed to different types of data. This data includes network data, files, executable and non-executable applications, emails and other types of objects that can be transmitted, received, or installed on a mobile communication device. Mobile communication devices also typically transmit and receive data through one or more network interfaces, including Bluetooth, Wi-Fi, infrared, radio receivers, and the like. Likewise, data can be encapsulated in a layered communication protocol or set of protocols, such as TCP / IP, HTTP, Bluetooth, etc. Current server-client security models, such as those currently available for desktop and laptop computers, cannot extend their capabilities to provide adequate assessment and security for a plurality of mobile communication devices. This disclosure contemplates at least two types of data that can be used to evaluate and protect mobile communication devices. The first type of data includes data about a mobile communication device, that is, "device data". Device data pertains to state, resources, operating system, firmware version, memory capacity, available communication ports, battery limitations, hardware characteristics and other "baseline" information can be common to all similar devices missing user customization. Device data can include standard specifications for a device that are received from a manufacturer, service provider, or IT service. Device data can include common state information for all similar mobile communications after they have been updated in some way. As will be discussed later, device data can be used to assess whether there are vulnerabilities due to unprotected communication ports, operating system exploits, specific device attacks, and the like. A second type of data that can be used to evaluate mobile communication devices is data that belongs to a specific application, file, object, which can be installed or executed on a mobile communication device. As used herein, this data is referred to as "application data". Application data "includes both data objects and information about data objects, such as behavioral data or metadata. Data objects include application packages that may be private to certain mobile communication devices. For example, iPhone OS devices typically use IPA files or APP packages, devices with Android ™ operating systems typically use APK files, Windows Mobile devices typically use CAB, EXE, or DLL files, and Symbian OS devices typically use SIS files. Devices can also support multiplatform application formats , such as the Adobe Flash runtime underlying SWF format or JAR files that can run on Java virtual machines. The application's data includes data objects that are malware or spyware, and thus can negatively affect a mobile communication device. Malware and spyware include applications, files and other data objects that are purposely designed to harm or steal information from a mobile communication device. Application data also includes data objects that are not designed for harmful reasons, but may have coding failures or other problems that can adversely affect a device. The application data also includes data objects that can be undesirable for several reasons. For example, a data object may be undesirable because it compromises privacy, overcharges a device's battery or network connection and / or has illegal content. As used here, "data objects" can also be referred to as "data items." The use of either term is not intended to limit the data to any specific form. The application data includes metadata about data objects. For example, metadata is information about a specific data object, rather than the data objects themselves. Metadata includes the location in a file system of a mobile communication device, where a data object is stored, a hash of the data object, the name of the data object, a unique identifier present or associated with the data objects , such as a GUID or UUID, the security of information related to the data object, such as cryptographic signatory information or level of permissions granted, and characteristics of how the data object is installed or integrates with the device's operating system mobile communication. Metadata for a data object can also include where the data object came from (for example, a URL from which it was downloaded, an application from which it was downloaded, a memory card from which it was installed or stored. Metadata can also be retrieved from an application market. Such metadata, called market metadata, includes information about a data object, such as the number of downloads, user comments about the data object, the description of the data object, permissions requested by the data object, software or hardware requirements for the data object, information about the author of the data object, the price of the data object, the language or languages supported by the data object and other information that a market can offer . In one embodiment, the application data also includes behavioral data. Behavioral data includes information about how an application interacts or uses the resources of a mobile communication device, such as memory usage, battery usage, network usage, storage usage, CPU usage, API usage, errors and failures, connected network services (for example, remote machines, port and address), and library link runtime. Behavioral data also includes information about how an application, file, or data object, when executed, uses features of the mobile communication device's operating system, such as notifications and messages between installed processes or applications. As will be explained later, both device data and application data are useful for providing a security assessment of a device based on stored data (for example, installed applications) or passing through the device. A person skilled in the art will appreciate that device data and application data are just examples of the types of data that can be used to safeguard a mobile communication device or provide other functions related to a mobile communication device. Other types of data can also be evaluated by the disclosed system without departing from the scope of the present invention. As used here, the term evaluation refers to information related to a data object that can be used to evaluate or better understand the operation of a data object or the effect of the operation. For example, an assessment can determine whether an application is malicious or non-malicious, good or bad, dangerous or safe, or whether an application can be blacklisted or not. An assessment can include categorizing or characterizing the data for a data object; ratings, such as security ratings, privacy ratings, performance ratings, quality ratings, and battery impact ratings for a data object, reliability indices for a data object, distribution data for a data object Dice. Assessments can result from the collection and / or processing of data by server 151 and can be exposed by server 151 to users or to other systems through an API, user interfaces, data feeds, or other methods. It will be appreciated that the previous description of an "assessment" is not intended to be limiting in any way. A. Device data collection What follows is a discussion of how device data and application data are collected and stored, in accordance with one embodiment of the present invention. In general, the following discussion includes communications between server 151 and mobile communication devices 101 over network 121. All data sent or received during these communications can be stored on server 151 or data store 111. In a In this embodiment, data stored in data store 111 or server 151 is associated with a particular account or a device known to the system. The association between the data and a device or account may allow the server 151 to provide customized functionality for the account or the device based on the data received previously. In one embodiment, some or all of the data is stored on server 151 or data store 111 with an anonymous association with a given account or device. For example, data can be stored with an anonymous association for privacy purposes, so that analysis of data on server 151 or data store 111 cannot tie associated data anonymously to a particular account or device; however, a device can complete and update this associated data anonymously. Anonymous associations are described in detail below. In one embodiment, server 151 will request information from mobile communication devices 101, which will respond with the requested information. In one embodiment, a mobile communication device 101 will transmit data from the device and / or application data to server 151 for analysis and evaluation. For example, a user of the mobile communication device 101 may download a file to their device, but before installing the file, they may want to send the file or the identifying data associated with the file to server 151 in order to to check whether the file is malicious or undesirable. Server 151 will then analyze this received data in order to provide a security assessment that is available for any of the mobile communication devices 101. In another example, it may be useful to know how an assessed data object will affect performance or behavior of a mobile communication device, the evaluation containing information, such as the average battery impact or the average network usage of the data object. In one embodiment, the server, 151 stores the assessments of the data objects after the analysis and can provide access to these assessments in several ways. The analysis, performed by server 151 will be discussed later. The process by which server 151 provides access to assessment information will also be discussed below. To avoid charging network 121 and server 151 with network traffic, several methods can be used to reduce the amount of data required and transmitted to server 151. For example, instead of transmitting entire data objects, such as application files or application packages for analysis, hash functions or hashing algorithms can be applied to the data and the resulting hash of the data can be sent to server 151. server 151 can use hash to uniquely identify the object Dice. If the server has already performed an evaluation of the data object identified by the hash, server 151 can return to the previous evaluation, if it is still valid. If server 151 has not yet performed an assessment for the data object, server 151 may return a response indicating that the assessment is unknown and / or request additional data from the mobile communication device 101. A person skilled in the art will appreciate that a Hash algorithm will transform an arbitrary amount of data into a fixed-length identifier. For example, the SHA-1 hashing algorithm can digest an arbitrary amount of input data into a 160-bit hash. In another example, metadata in addition to a hash of the data object, can be sent instead of a data object itself, for example, an application's metadata can be sent for an evaluation, instead of the entire application. In many cases, metadata, such as a package name, application name, file name, file size, requested permissions, cryptographic signature, download source, a unique identifier, such as a UUID, and other information can be sufficient, such as identifying information for a data object object, thus, if the server 151 receives the appropriate identifying information, this can determine whether the data object is undesirable. A person skilled in the art will appreciate that there are a variety of methods by which a data object can be identified so that it can allow server 151 to determine whether a data object installed on device 101 is malicious, without having to transmit all objects data to the server 151. In an embodiment of the present description, server 151 may request portions of a data object, instead of a complete data object. An entire data object can be transmitted incrementally, so that network 121 is not affected by network traffic. Alternatively or in addition, server 151 can request information about a particular application, but can query a group of mobile communication devices that each has this application. In this way, server 151 can receive a portion, or "chunk" of data, from a mobile communication device, and another portion of data from a second mobile communication device, and so on, if necessary. The server 151 can then aggregate this information, once it is being received, thus gathering a number of mobile communication device with applications / data file without overloading any specific mobile communication device. An example of this method is discussed below. Figure 2 is an overview of the transmission of different types of data between a mobile communication device 101 and the server 151. As shown in figure 2, in block 201, the mobile communication device 101 sends data from the application to the server 151 , which receives this data (block 203). In this embodiment, the mobile communication device sends the identification or authentication information to the server 151 so that the server 151 can previously reference the identification or authentication of the information stored on the mobile communication device 101, store and retrieve the data associated with the mobile communication device 101, and specifically identify or authenticate the mobile communication device 101 among other mobile communication devices. In one embodiment, server 151 sends a notification to mobile communication device 101 (block 205). This notification can be an alert, a message, an instruction or other information related to application data or device-specific data to the mobile communication device 101. In one embodiment, the notification is due to the device having previously sent corresponding application data to a data object that was not initially evaluated by server 151 to be undesirable, but was subsequently determined by server 151 to be undesirable. In block 207, the mobile communication device 101 receives the notification, and in block 209, the mobile communication device 101 takes action based on the notification. As will be discussed in more detail below, such processes may include disabling one or more features or applications on the mobile communication device 101. A person skilled in the art will appreciate that the interaction between the mobile communication device 101 and the server 151 can include communication from the mobile communication device to the server, as well as from the server to the mobile communication device. For example, in one embodiment, server 151 may receive application data from mobile communication device 101, but server 151 may require additional information before providing an assessment or transmission of a notification. In block 211, server 151 can request additional information from the mobile communication device 101. The mobile communication device receives the request (block 213), gathers the additional information, as requested by server 151 (block 215), then, in block 217, transmits additional information to server 151. In block 219, server 151 receives the requested additional information. It will be appreciated that this process can be repeated as needed. Figures 3 to 7 illustrate the transmission and collection of application data and device data in more detail. Figure 3 illustrates a modality in which server 151 evaluates the change of a data object stored in the mobile communication device 101. In figure 3, the mobile communication device 101 detects a change in a specific data object (block 301) . A person skilled in the art will appreciate that detecting changes to a data object may involve mechanisms such as intercepting the calling system or file system operations, a file system or other data objects altering the listener, receiving a event of a package management system (for example, PACKAGE_UPDATED and / or PACKAGE_REPLACED intentions in the Android ™ operating system), and searching for data objects in a file system or other system capable of enumerating data objects. Other techniques for detecting changes can also be used. Alternatively or in addition, the following methods can occur when a change to a data object is detected, at the request of the user of the mobile communication device, or by a pre-configured list for the analysis and evaluation of the data objects on the data device. mobile communication. In one embodiment, a change to a data object includes at any time when a data object is added, removed or modified. After transmitting the application data to a data object, the mobile communication device 101 waits for confirmation from the server before the recording of the application data has been successfully transmitted to the data object. After receiving application data for a data object from a mobile communication device 101, server 151 transmits an acknowledgment. If there was an error in the transmission or with the data itself, server 151 will return an error. If mobile communication device 101 receives a server error 151, or there is no response after transmitting application data to a data object, mobile communication device 101 will not write the application data to the data object as having been sent, and the mobile communication device 101 may repeat the sending of the data at some point in the future. A person skilled in the art will recognize that mobile communication devices are sometimes unable to connect to a network, or may have their connection to the network interrupted in the middle of a transmission. As such, a mobile communication device 101 records whether or not the server 151 has successfully received the application data for a data object is important for the functioning of a reliable data collection system. In one embodiment, if at any time the application data for a data object has not been transmitted from the mobile communication device 101 and received by the server 151, it is considered to be changed and needs to be transmitted. In one embodiment, the mobile communication device 101 stores if it has transmitted and the server 151 has successfully received the application data for one or more data objects present on the device. To identify which data objects have had appropriate application data reported to server 151, the mobile communication device 101 can store a database containing identifying information for the data objects that have been successfully reported to server 151 to determine whether the device needs to transmit application data to these data objects. For example, a data object, which is a file in a file system, can be identified by hashing its contents. When the data object is first installed on a mobile communication device 101, the database may not contain data for the data object. Because there is no identifying information for the data object, the mobile communication device 101 recognizes the data object as new and transmits the application data to the data object to server 151 indicating that the object is new. After transmitting application data to the data object to server 151 and receiving confirmation that the server has successfully received application data, the device stores the hash of the file's content and the location in the file system where the file is in the database. If the data object is deleted, the mobile communication device 101 can detect that there is no file in the local file system previously stored and can report the deletion of the data object to server 151, informing the location of the file system and / or hash identification information for the data object. If the file has been modified, as in the case of an application being updated, the mobile communication device can detect the existence of a file in the location previously stored in the file system, but the hash of the file's content does not match the hash of the file. stored content. In this case, the mobile communication device 101 can inform the server that the data object identified by the location of the file and / or hash of the previous content has been updated and reported to the new hash of the content of the file. In one example, a security system installed on the mobile communication device 101 may report data from the application to a data object to server 151 for the purpose of receiving an assessment of the data object. If a mobile communication device downloads a new application that is harmful, it is important that the security system detects this new item as soon as possible. Server 151 can analyze the new application and provide a security assessment on which actions can be taken based on the results. In another example, a first version of an application may be safe, but a second version of the application may be malicious. It is important that a security system recognizes this update as different from the first version of the application so that it produces a new evaluation of the second version and not only reports the first evaluation. Server 151 can analyze the updated application and provide a security assessment where actions can be taken based on the results. In block 303 of figure 3, the mobile communication device 101 transmits the identification information to the mobile communication device to the server 151. In one embodiment, the identification information is the authentication information. In one embodiment, the identification information is an unauthorized identifier for the device, such as a device ID that is not considered secret. In one embodiment, the identification information includes information about the device for the mobile communication device (for example, make, model, hardware characteristics). In addition, the mobile communication device 101 transmits the information to the modified data object. This information can include identifying information for the data object, such as metadata (for example, hash, package name, file name, file path, cryptographic signature, unique identifier, such as a UUID) and the like. In block 305, server 151 receives the identifier of the mobile communication device 101 and the information for the modified data object. The received data is stored by the server 151 in the server or in the data store 111 (block 307). In one embodiment, only a portion of the data received by the server 151 is stored. In block 309, server 151 provides an assessment for the altered data objects using any of the techniques described herein or from U.S. Patent Application No. 12 / 255,621, which is incorporated herein in full. The assessment may include instructions and / or a categorization labeling the modified data object as safe, malicious, or unknown. In one embodiment, some or all of the received data is stored on server 151 or data store 111 and is associated with the device that transmitted the data. For example, this can cause server 151 to be late to determine which applications the device has found. In another embodiment, some or all of the received data is stored on server 151 or data store 111 so that the server cannot directly tie the information to a given device. For example, server 151 can store received data, without any connection to a particular device. In another example, the data can be anonymously with a device by the server associating the data with an identifier when stored. To ensure that server 151 cannot associate with data stored with a given device, the identifier is known only to the data transmitting device and is provided to the server whenever the device transmits data. The server does not store this identifier so that the identifier is never directly connected to a specific device or account on server 151 or data store 111. In one embodiment, server 151 stores the results of the evaluation on the server or data store 111. If, when an evaluation for a data object is required 309 and a previous evaluation of the data object exists and is considered valid, server 151 retrieves the previous evaluation from data store 111 instead of performing a new evaluation. Assessments can be considered for the data object even if the metadata for each object finds a variety of forms, including whether assessments related to data objects with the same hash, same package name, same cryptographic subscriber, or even file path. In block 311, the evaluation is transmitted to the mobile communication device 101, which receives this evaluation from server 151 (block 313), processes the evaluation or takes the appropriate measures (block 315). A person skilled in the art will appreciate that the interaction between the mobile communication device 101 and the server 151 is dynamic, in which the server 151 can proactively transmit notifications or instructions to remedy changed data objects, which requires action of the communication device 101. Figure 4 illustrates an embodiment. In block 401 of figure 4, the mobile communication device 101 detects a change in a specific data object. In block 403, mobile communication device 101 sends device identification information and information about the changed data object to server 151. Server 151 receives identification information for mobile communication device 101 and information about the communication object. modified data (block 405). In block 407, server 151 stores changed data information on the server or in data store 111. In block 409, server 151 can analyze and evaluate the modified data object, and can report the evaluation of the mobile communication device 101 (block 411). As discussed earlier, whether an assessment has already been carried out for the data object, so that the assessment obtained can be previously carried out and used instead of reassessing performance. If a server 151 reports an assessment, the mobile communication device 101 receives the assessment or other notification in block 413, and processes the assessment (block 415). In one embodiment, the rating for the data object can be changed. For example, a data object that may have previously been assessed as safe or unknown can later be identified as malicious, causing some hitherto unknown vulnerability, or causing undesirable behavior, such as excessive network usage or battery drain. In block 417, if server 151 detects a change in the evaluation of a previously analyzed data object, then in block 419, server 151 can transmit a notification, correction instructions or the like to the mobile communication device 101. The device mobile communication 101 receives notification from server 151 (block 421), then performs recommended actions or correction instructions (block 423). In block 425, the mobile communication device 101 transmits a confirmation that it has performed the necessary actions, that the server receives 151 (block 427). In one embodiment, the communication is sent only to the mobile communication device 151 if the data object is determined to be present in the mobile communication device. In one embodiment, server 151 stores information on server 151 or data store 111 that allows server 151 to determine whether the mobile communication device 101 currently has a data object, or has previously been requested to evaluate the data object. A person skilled in the art will appreciate that figure 4 presents just one example of how server 151 can report changes in the assessment to a mobile communication device, and some steps can be skipped, without departing from the present disclosure. For example, the mobile communication device can execute correction instructions or other required actions, without sending confirmation to server 151. In one embodiment, server 151 can request additional information about a specific data object from mobile communication device 101. For example, mobile communication device 101 can send information about a modified data object to server 151, at However, the information sent may be insufficient for server 151 to perform a conclusive analysis. Figure 5 illustrates this modality. In block 501 of figure 5, the mobile communication device 101 detects that a modified data object, and transmits the identification information to the mobile communication device 101 with information for the modified data object to the server 151 (block 503) . Server 151 receives identification information for mobile communication device 101 and information for the modified data object (block 505), and stores the information for the modified data object on the server or data store 111 (block 507). At block 509, server 151 determines whether it requires additional information about the modified data object. For example, server 151 may attempt to assess whether the modified data object is safe or malicious, but is unable to provide a conclusive assessment (i.e., the results of the assessment in "unknown"). Determining whether more information is needed can be done before server 151 performs an assessment if there is not enough data to even begin an assessment, or after an assessment returns without a conclusion, due, in part or as a whole, to a lack of Dice. If additional information is required, then server 151 can request additional information from mobile communication device 101 (block 511). In block 513 of figure 5, the mobile communication device 101 receives the request for additional information, gathers the requested information (block 515), then transmits the additional information to server 151 (block 517). In one embodiment, the additional information includes behavioral data for a data object and application data for the data object, such as the content of the data object. In block 519, server 151 receives additional information from the mobile communication device 101, and stores additional information (block 521). The server 151 can then analyze the information of the altered data objects with the additional information to provide an assessment (block 523), which can be sent to the mobile communication device 101 (block 525). In block 527, the mobile communication device 101 receives the evaluation of the modified data object from server 151, and then processes the evaluation (block 529). In one embodiment, the mobile communication device 101 may prefer to transmit additional information to server 151. For example, server 151 may analyze a data object, but not provide a conclusive assessment. Instead of requesting additional information from the mobile communication device 101, the device may request an additional assessment, providing additional information for the data object for server 151. Figure 6 illustrates this modality. In block 601 of figure 6, the mobile communication device 101 detects a change in a data object, then, in block 603, the mobile communication device 101 sends its identification information and the information to the modified data object for server 151. In block 605, server 151 receives identification information for mobile communication device 101 and information for the modified data object. This information is stored by server 151 on the server or in data store 111 (block 607) and then analyzed by server 151 to result in an assessment (block 609). In block 611, server 151 transmits the appropriate assessment or notification to mobile communication device 101. Mobile communication device 101 receives the assessment from server 151 (block 613 of figure 6). In block 615, the mobile communication device 101 determines whether to send additional information about the data object. For example, a server 151 may be unable to produce an assessment for the data object based on the available data, and therefore needs more information to be able to produce an assessment. In block 617, the mobile communication device 101 determines whether to send additional information about the data object, then this information is collected. In block 619, the mobile communication device 101 transmits the additional information to the server 151, which receives this information (block 621), and stores the additional information received (block 623). It will be appreciated that the server 151 knows that the additional information will be with respect to the information previously received by the server 151 (block 605), since the mobile communication device 101 will transmit the identification information with the additional information. In block 625 of figure 6, server 151 analyzes the additional information received from the mobile communication device 101. In one embodiment, the additional information can be analyzed with the information previously received (block 605). In block 627, server 151 transmits the assessment to the mobile communication device 101, which processes the assessment (block 629). If the mobile communication device 101 still needs to send additional information, it can repeat the process, if necessary. As noted earlier, server 151 may have access to a plurality of mobile communication devices, some of which may be run or store the same application programs or data objects. Requesting information about the data object from a single mobile communication device can cause network traffic, affecting not only the single mobile communication device, but other devices on the network. In one embodiment, if server 151 requires information about a data object that is stored on more than one mobile communication device, server 151 can gather portions of the necessary information from each of the mobile communication devices, instead of depending on from a single device. Figure 7 illustrates a modality using a first and a second mobile communication device, thus optimizing data collection from two or more mobile communication devices. In block 701 of figure 7, the first mobile communication device detects a change in a data object. The data object is also found on the second mobile communication device, but they may or may not carry out the same modification. The first mobile communication device transmits its identification information and information to its changed data object to server 151 (block 703). In block 705, server 151 receives the identification information for the first mobile communication device with the information for the modified data object. This information is stored by server 151 (block 709). In block 711, server 151 determines that it requires additional information about the data object. In block 713, server 151 identifies the second mobile communication device that server 151 knows that also stores the data object, as well as additional information for the data object. In block 715 of figure 7, server 151 requests additional information for the data object of the second mobile communication device. This request is received by the second mobile communication device (block 717). In response, the second mobile communication device will collect the additional information (block 719), then transmit the additional information to server 151 (block 721). Server 151 (block 723) receives and stores additional information about the data object from the second mobile communication device on server 151 or from data store 111 (block 725), then analyzes this additional information with the information previously received from the first mobile communication device to generate an assessment (block 727). This evaluation is transmitted to the first mobile communication device (block 729), which receives the evaluation (block 731) and processes the evaluation (block 733). It will be appreciated that if relevant, server 151 can also transmit the assessment to the second mobile communication device. In one embodiment, server 151 can collect additional information from various devices. In one embodiment, server 151 chooses which devices can still request by analyzing device information and application data, previously stored by the server. For example, to characterize the use of an SMS messaging application to determine whether or not it is abusing SMS for spam purposes, server 151 can request the count of SMS messages sent by an application from many mobile communication devices who previously reported that they have the app installed. In one embodiment, servers attempt to analyze a data object to produce an assessment without first waiting to receive information about a device's data object. Instead, the server can receive data from other sources and proactively request information from one or more devices to create an assessment for the data object. In one embodiment, application data for a data object that is collected and transmitted by the mobile communication device 101 to server 151 may include behavioral data about the data object. Use of this data by server 151, as during analysis, is discussed in more depth below. Behavioral data can include information about what the data object did when it ran on the device. Examples of behavioral data include information about network connections caused by the data object (for example, server names, source / destination addresses and ports, call duration, connection protocols, amount of data transmitted and received, the total number of connections, frequency of connections, and network interface information for the connection, DNS requests made), the behavior of the data object when it executes (for example, system calls, API calls, used libraries, inter-process communication calls , number of SMS messages transmitted, number of e-mail messages sent, information about user interfaces displayed, URLs accessed), overload caused by the data object (for example, battery used, CPU usage time, data transmitted from network, storage used, memory used). Other behavioral data includes the context when a certain behavior occurred (for example, whether the phone screen was off when the data object sends an SMS message, whether the user was using the data object when connected to a remote server, etc. ). As a large amount of behavioral data is generated by the data objects each time it is executed, it is important for a mobile communication device not to collect or transmit all possible behavior data, otherwise the data collection and transmission behavioral devices can over use the resources of device 101, server 151, and network 121. In one embodiment, mobile communication device 101 limits what type of behavioral data for a data object it collects and transmits, and how often to collect and transmit behavioral data based on the time since the data object was last changed. For example, when a data object is first installed on a mobile communication device, the device can collect and transmit the total value of available behavioral data each day. After a week after installing the data object, the device can send only a limited subset of behavioral data at weekly intervals. One month after installation, the device can send only a minimal amount of behavioral data at monthly intervals. In one embodiment, if the data object were updated (for example, updating an application to a different version), the device can transmit the full range of behavioral data daily and reduce the range and frequency of data collected and transmitted after one week. and / or after a month. In one embodiment, server 151 sends the configuration to the mobile communication device 101 requesting that the device send specific types of behavioral data at a specific frequency. The device stores the configuration so that it can determine whether to collect and / or transmit behavioral data from data objects. In one embodiment, the configuration information is specific to a particular data object. In one embodiment, the configuration information is for all data objects detected by the device. In one embodiment, server 151 requests behavioral data for a specific data object from the device so that the server can minimize behavioral data unnecessarily collected and transmitted. In one embodiment, server 151 can influence the collection and transmission of data from the behavior of device 101 to server 11. For example, server 151 can transmit instructions to mobile communication device 101, requesting behavioral data from a data object only if the server has information indicating that the device currently has the data object, and if the server needs more behavioral data to better evaluate the data object. In one embodiment, server 151 determines that it does not need any more behavioral data for an object based on the number of devices that have already reported the behavioral data. For example, the server may require at least one hundred (100) devices to communicate behavioral data for each data object in order to have a confident assessment. In one embodiment, the difference between the behavioral data reported by different devices is used to determine the amount of behavioral data that is required for an assessment to be reliable. For example, if thirty (30) devices all using battery reported by a data object within a small range, the server will no longer be able to request any behavioral data for that object, however, if the thirty (30) devices showed With a wide range of battery usage, the server may require behavioral data from two hundred (200) devices. In one embodiment, a mobile communication device can only transmit behavioral data if the data is outside normal limits. In one embodiment, the limits are universal for all data objects. For example, a limit on network usage can be set so that the mobile communication device transmits behavioral data to the data object's network connections, only if the data object maintains at least one open connection for more than 50 % of the time it is running or if the data object transmits more than one megabyte of data in a 24-hour period. In one embodiment, server 151 can update the limits of a mobile communication device 101 by transmitting updated information connected to the device. In one embodiment, the limits can be particular to one or more data objects. For example, a device may have a set of standard thresholds, which will send behavioral data, but the server can transmit thresholds for a specific data object, identifying the data object through identifying information, such as a cryptographic subscriber, hash, package name, or file system location. Updated limits can instruct the device to send more or less behavioral data than the standard limit set. For example, a mobile communication device may never send behavioral data. When a new data object is installed on the device, the device reports the installation event and the metadata associated with the data object to the server. If the server has already characterized the data object through the behavioral data from other devices, the server can send limits to the device specifying the typical behavior of the data object on other devices (for example, it uses less than 100 kB of data per day, never sends SMS messages, never sends emails), so that if the data object deviates from these limits, the mobile communication device will send the diverted behavioral data to the server. These derivations can be useful in the case of a legitimate application that becomes exploited and begins to exhibit atypical behavior or, in the case of a "time bomb" application that only begins to become harmful after a certain time. In one embodiment, the data transmitted from the mobile communication device 101 to the server 151 is configurable in order to protect the user's privacy; avoid excessive use of resources on the device, network or server, or for other reasons. Some example configurations include choosing which application data is sent by device 101 to server 151, how many times application data is sent, and how application data is retransmitted should initiate failed transmissions. Example configurations may also include transmitting only identifying information (for example, without additional metadata or behavioral data), never transmitting any application data, never transmitting and content of the data object, only transmitting data from applications to data objects based on the origin of the data objects, just transmitting a certain type of behavioral data, just transmitting a certain amount of application data per day, just transmitting the content of a data object per day, transmitting the behavioral data at most, once per day per data object, and the like. A person skilled in the art will recognize that other configurations are possible, without departing from the scope of the present description. In one embodiment, the configuration can be performed by a mobile device 101 and / or server 151 by the device making only certain transmissions and / or by the server making only certain requests from the device. In one embodiment, the configuration is controlled by one or more parties. For example, the configuration can be adjusted automatically by the server 151 or by the software residing on the mobile communications device 101, or controlled by an administrator through the server 151, and / or controlled by a user through a mobile device 101. In one embodiment , portions of the configuration are controlled by different parts. For example, a user may or may not be able to control data objects that are communicated to server 151, but a server administrator 151 can control the frequency of reporting behavioral data for all devices to optimize the battery usage of the system. safety. In one embodiment, the software on a mobile communication device 101 displays a user interface dialog when it receives a request to transmit data from the application to a data object, such as its content or behavioral data. As discussed above, a request for content from the data object can be the total content or a part of the content, the identification request that is part of the content if a part is requested. The displayed user interface dialog can identify the data object to which the application data is to be transmitted, and give the device user the opportunity to allow or reject the transmission. In one embodiment, the dialog allows the user to remind the device of its decision for future data objects. In one embodiment, the dialog allows the user to see more in-depth information about the application data to be sent, and provides a way for the user to understand the privacy implications of sending the data, such as links to a privacy policy, description of privacy, or other content that describes how data is transmitted, stored and used. In one embodiment, a mobile communication device attempts to transmit a data object when it receives an indication that the server 151 needs more information to produce an assessment. In this case, the device may display a user interface dialog alerting the device user to choose whether or not to transmit the content of the data object when the device attempts to transmit a data object. In one embodiment, any attempt to transmit certain types of application data, such as the content of a data object, results in a user interface dialog for confirmation, while other types of application data, such as metadata or behavioral data , are transmitted without requiring confirmation from the user. Since a particular application can use multiple data objects, it may be desirable for the mobile communication device 101 and / or server 151 to group multiple data objects together so that the application can be analyzed as a whole. In one embodiment, the mobile communication device 101 or server 151 can perform the grouping, comparing the application data between various data objects. For example, application data that can be used to group data objects includes how data objects were installed (for example, data objects from the same installer can be grouped), if data objects are linked together in execution or dynamically, if multiple data objects are in the same directory on the file system, and if the data objects share a cryptographic subscriber. For example, an application installer can extract an executable and multiple library for the file system on a mobile device. The mobile communication device 101 can use the common installer to consider the grouped data objects and can store the grouping information for use in collecting behavioral data (discussed below). In order for server 151 to recognize the group, each application data of the data object can include identification information of the common installer. Server 151 can explicitly store the grouped relationship on server 151 or data store 111 to access grouping information efficiently during analysis. Since behavioral data cannot always be attributed to a single data object when multiple objects run together, such as in the context of a single process, if the device's operating system does not support granular behavioral data, or through others mechanisms, it may be desirable for the mobile communication device 101 to group multiple data objects together and report behavioral data to the group together. In one embodiment, the mobile communication device 101 transmits information indicating that the grouped data objects are associated and transmits the application data to the grouped data objects to the server 151 together. For example, if a process in a mobile communication carries several components from different vendors and network data can only be gathered at one level per process, and / or, if the process is detected to be connected to a known malicious server, then it can it is desirable that all components loaded in the process are identified by the server to determine the offending component. When the mobile communication device 101 collects behavioral data (such as the IP addresses that the process is connected to) for the process, the device reports the identifying information for all data objects that are associated with the process to the server. When the server receives the behavioral data from a group of data objects it can analyze the behavioral data from various devices and determine that only groups containing a particular data object will connect to the malicious server. Thus, only the data object that results in a connection to the malicious server will be considered malicious. In one embodiment, if a mobile communication device does not provide granular information about the behavior of particular data objects, the behavioral data for the device as a whole can be transmitted to the server as a representative of the group of all installed data objects. on the device. For example, if an operating system does not provide battery usage information by process, devices running the operating system can transmit a list of applications installed on each device and throughout the battery life for each device to the 151 server. The server can then perform analysis of this data to determine which applications correlate with better or worse battery life and estimates the contribution of each application to battery life when installed on a device. In a mode where multiple data objects in a group have different behavioral data collection settings, the mobile communication device will join the settings together. For example, if the mobile communication device 101 is configured to report a large amount of behavioral data every day to a data object, but it is configured to report only anomalous behavioral data to another data object, and the data objects are grouped, the device can join the two configurations and communicate a large amount of behavioral data to the group. Alternatively, if the second data object is configured to not report behavioral data for privacy reasons, no behavioral data can be reported to the group to satisfy the privacy restriction. A person skilled in the art will appreciate that data transmitted by server 151 or mobile communications device 101, such as metadata, behavioral data, configuration information, data behavior limits, cluster data, additional data requests, notifications and other forms data can be formatted using binary or non-binary formats. Examples include formatting data in XML, JSON, or as part of a URL. Data can be transmitted using a variety of protocols, including TCP, UDP, DNS and HTTP. Other formats and / or protocols can be used without departing from this disclosure. The various examples above are not limited to how data is collected and collected from one or more mobile communication devices. Techniques for optimizing data collection are also described above. As discussed, mobile communication devices 101 will transmit some or all of the data described above to server 151 for analysis, so that server 151 can provide an assessment of the analyzed data. The following section describes non-limiting examples of analysis techniques. A person skilled in the art will appreciate that although the examples below and disclosure use the grouped data, using the methods described here, other types of data can be transmitted and that this disclosure is not limited to the data described here. B. Data Collection System A person skilled in the art will appreciate that server 151 can receive data from sources other than that of mobile communication devices for use in analyzing a data object and making assessments. Fig. 10 illustrates an embodiment in which server 151 can receive data from multiple sources and transmit evaluation information for various uses. One or more servers 151 are illustrated as a "cloud" to point out that multiple servers can operate in coordination to provide the functionality described herein. One or more mobile communication devices 101 are illustrated as a group to point out that multiple devices 101 can transmit and receive information from server 151. As previously disclosed, one or more mobile communication devices 101 can transmit application data to data objects for server 151 and devices 101 can receive assessment data, request more information, notifications, and the like from server 151. In addition to gathering data from mobile communication devices, server 151 can receive information regarding data objects from a variety of data collection systems. Such systems can be separated from server 151 or can be part of server 151. In a directly database or other storage on server 151 or in data store 111 with information for one or more data objects. In one embodiment, a data collection system communicates with server 151 to provide information to server 151. There are many types of systems that can be used as data that feeds server 151. Some examples include web crawlers 1003, collection of data from the 1005 application market, honeypots, and other systems that can feed information related to mobile device applications to the 151 server. In one embodiment, a web crawler 1003 downloads data objects that can be run on mobile communication devices and retrieves information about data objects, feeding the server 151. For example, crawler 1003 can use a search engine to look for sites that host mobile apps. Once crawler 1003 identifies sites that host mobile apps, the crawler can retrieve the web pages available on those sites, examining the content of each page to determine additional pages to retrieve. For example, a page on a mobile download site may contain links to other pages, as well as links to download data objects. It may be desirable for the data collection system to only transmit information to server 151 that is relevant to mobile devices, as there is a lot of content available on the internet that does not affect mobile communication devices (for example, PC software). In one embodiment, tracker 1003, 5 can identify whether a data object available for download or which has already been downloaded is capable of running on a mobile communication device. For example, crawler 1003 can examine a URL to download a specific string indicating that the URL corresponds to the package of 10 mobile apps (for example, SIS, APK, CAB, IPA). In another example, tracker 1003 can examine a data object after it has been downloaded to determine whether it affects mobile communication devices and if so, whether it affects a specific mobile platform. In this case, the 1003 tracker can examine the data object transferred for characteristics, such as its name, whether it contains executable code compatible with all mobile platforms, or whether it contains data that is typical for a specific mobile device platform. In a 20 modality, tracker 1003 gathers market metadata about data items and transmits market metadata to server 151. Some examples of market metadata include a data object that is available for download, user reviews and comments for a data object, the price of the data object if it is available for purchase, the number of times the data object has been downloaded, information about the author of the data object and other information relating to a data object that is available on websites. As will be discussed below, where a data object is available, data can be used to determine how reliable the data object is. For example, a data object available on a website of a reputable company can be considered more reliable than a data object available on a mobile forum by one of the forum users. Because many mobile applications are only available in mobile application markets, it can be important for the 151 server to receive information about the data objects that are available in application markets. In one embodiment, an application market data collection system 1005 retrieves information about a data object, such as the content of the data object and market metadata for the data object, from the mobile application and reporting markets. information for server 151. In one embodiment, the application market data collection system 1005 is part of server 151. In an alternative embodiment, the application market data collection system is separate from server 151. The Application markets are often provided by vendors of mobile platforms (for example, Android Market, Blackberry App World, Apple App Store, Nokia Ovi Store) or by third parties (for example, GetJar, Handango) and can use a proprietary API. In one embodiment, the application market data collection system 1005 is configured to communicate with application market servers via a proprietary protocol. In order to transmit the data received from the application market servers to the server 151 in a way that is usable by the server 151, the application market data collection system 1005 can transform the application data into the objects of data from a format proper to a format that server 151 can use for analysis. For example, an application market may provide an API to access user comments and ratings for an application, however, the data returned by the API may differ from other application market comment data. In another example, an application can proactively transmit data to the 1005 application market data collection system so that the data collection system does not have to repeatedly query it. To allow a 151 server to be able to analyze comment data from various application markets, the 1005 application market data collection system can transform differently formatted comment data into a standard format for transmission to server 151. In a modality, an application market data collection system 1005 can search for certain terms in users' opinions, such as "battery consumption", "Crash", "privacy settings", "does not work", "phone number "," contacts ", and the like, which can be used to characterize an application as" damaged ", or used to establish the trust of an application using the system components described here. In an alternative modality, the application market data collection system 1005 can gather all comment data and analysis of comment data that can be performed per server 151. Likewise, data from server 151 or the system data collection application market 1005 may be able to recognize positive opinions or scores for a data object, thereby improving the assessment and / or suitability for the data object. In addition to gathering information from the data object, it may be important for server 151 to accept human information 1007. This information may include subjective trust notes for mobile application providers, specific keywords, or other characteristics, such as heuristics, that can classify a mobile app as suspect. A person skilled in the art will recognize that other types of information related to the analysis of data objects for mobile communication devices can be provided by a human being without departing from the scope of the present invention. In one embodiment, server 151 provides a user interface by which someone can provide information to server 151 about a specific data object, a group of data objects (for example, data objects from a particular developer, all data objects on a specific platform), or for the analysis system as a whole (for example, updated heuristic analysis). In one embodiment, a server separate from server 151 provides a user interface, through which a person can provide information about a specific data object, a group of data objects, or to the analysis system as a whole. This separate server can transmit the information provided by the user to server 151, where server 151 stores it on server 151 or data store 111. In one embodiment, the separate server directly updates data store 111 with the information provided by the user . Figure 10 illustrates server 151 being able to provide information about data objects to external systems. In one embodiment, information provided by server 151 may be transmitted via an API, provided as a list, data feed, report or formatted data such as firewall or virus definitions, or in other ways. In one embodiment, server 151 provides information about data objects to an application market 1009. For example, server 151 can provide market 1009 with a list of malicious data objects that are present in market 1009. In another example, server 151 can expose an API by which application market 1009 can transmit identifying information (e.g., a hash of a data object's content) to server 151 to determine whether the data object is considered harmful or unwanted. In one embodiment, server 151 provides data for the 1011 network security infrastructure so that the 1011 network security infrastructure can protect against malicious or unwanted network-level applications. For example, when protecting at the network level, mobile communication devices, even if they do not have security software installed, can benefit from protection. In one embodiment, server 151 transmits threat signatures to the security infrastructure of the 1011 network. Threat signatures can take many forms, for example, hashes of unwanted applications, binary strings for unwanted applications, package names of unwanted applications, firewall rules to block malicious or attacking servers, and rules for a network security system, such as Snort. In one embodiment, server 151 provides data in the form of data feed 1013. Data feeds 1013 can contain a variety of data available to server 151 or data storage 11 from server data collection or analysis later (described below), for example, a list of all data objects that use network traffic more than a given threshold to identify misbehaving or abusive applications, a list of prevalent data objects as most malicious, and a list of applications that meet criteria such as a set of heuristics to identify potentially malicious applications. C. Analysis systems by the server In order to produce analysis of data objects or other forms of useful output, the server can use a variety of analysis methods. In one embodiment, because the server has access to information collected about data objects from one or more sources, the server can process the information to produce an assessment for a data object. Figure 11 illustrates a mode in which server 151 aggregates application data to a data object, stores information, and generates characterizations and categorizations for the data object, evaluates the data object to produce evaluation information, and transmits the evaluation information. In block 1101 of figure 11, the application data (for example, the content of the data object, metadata, behavioral data, market metadata) is collected for a data object. Some of the possible methods for collection, and the types of data collected have been discussed previously. Such methods may include collecting data from devices, from web sites, marketplace apps, people, and other sources. In block 1103, the application data for the data object is stored on server 151 or data store 111 so that the data can be used at a different time than when it is gathered. In block 1105, device data is collected and stored (block 1107) by server 151 or in data store 111. It may be desirable that assessments, categorization and characterization take into account the origin of the reported device data to be linked application data. For example, if the application malfunctions only when installed on a particular type of device, it is important for server 151 to analyze the application device data provided by the device under which particular device type provided the data. In one embodiment, when the application data is stored 1103 it is associated with the device data for the device that is provided. For example, when a device 101 transmits application data to server 151, the device can transmit authentication information, which allows server 151 to retrieve previously stored data to device 101. If device 101 has already transmitted data from device to server 151, data from previously stored devices can then be associated with new application data. In such a data collection system, it may be important to protect privacy and minimize individually identifiable information stored on server 151 or data store 111. In one embodiment, application data for multiple devices that have the same device data is aggregated, so that the stored data is not linked to a particular device, but to a set of device data shared by one or more devices. In designing such a system, it may be important to take into account the balance between the granularity of the device data and the level at which aggregated data can be assigned to a given device. With part of the analysis of a data object, it may be desirable for server 151 to characterize and / or classify it (block 1109). In one embodiment, server 151 stores the characterized and classified data for the data objects (block 1111). It may be desirable for the characterized and classified data to be updated as more data becomes available or the analysis of the data changes. In one embodiment, server 151 performs additional analysis (block 1109) and updates stored and characterized data (block 1111) to a data object when new or updated data for the data object used by the analysis system is available. (77) Characterization data includes information describing a data object's functionality, behavior and reputation, such as its capabilities, metrics for the data object, analyzes of other data relating to the data object, and so on. against. In one embodiment, server 151 produces characterization data about a data object using application data, device data, market data, data distribution, and other data available to server 151. Although some methods are described below , a person skilled in the art will appreciate that there are other methods for generating assessment information, which can be employed without departing from the scope of the present invention. In one embodiment, server 151 transmits the characterization information as an assessment. A person skilled in the art will realize that characterization information can be useful for a user to understand when deciding to install an application. For example, if a user is planning to download a game, but the user receives an evaluation, indicating that the game has the ability to send the user's location over the internet, the user may decide not to install the game. In another example, if a user is intending to download an instant messaging app and is concerned that the app may use a disproportionate amount of battery power, the user may receive a rating to see the app's average battery usage metrics and decide that , based on the metric, the app is acceptable to install. In one embodiment, the characterization information is consumed as an input to one or more other analysis systems. For example, an analysis system produces an application's privacy risk assessment to be able to use characterization information to determine whether an application has risk capabilities, such as sending location or contact list information to an application server. Internet. Capabilities are a form of characterization data that server 151 can produce. In one embodiment, server 151 extracts resources from a data object. In certain mobile operating systems or application environments, applications may request granular permissions to access privileged functionality on a device, such as sending or receiving network data, accessing the phone's location, reading or writing contact entries and SMS messages . In one embodiment, server 151 uses data about the permissions requested by a data object to determine the capacity of the data object. The server can determine permission data by a variety of means, including metadata and behavioral data reported by devices, market data, static analysis of data objects and dynamic analysis of data objects. For example, applications on the Android operating system have to declare permissions at the time of installation, so server 151 can analyze those permissions declared in an application package directly through metadata about an application package reported by one or more devices or via market data to determine permission data. In one embodiment, server 151 performs content analysis of a data object to determine which APIs on a data object device they use. In one embodiment, the API analysis can include a data object search for data strings that indicate calls to m, a specific library analysis, function, class or other important data structure in the data object; an analysis of dynamic link calls, an analysis of calls to local or remote services; static analysis of the data object, dynamic analysis of the data object and analysis of behavioral data reported by one or more devices. In one embodiment, server 151 uses information from the API call extracted to determine that the application has a particular capability. For example, if an application calls an API to interact with a GPS radio on a device, server 151 determines that the application has the ability to determine the device's location. Although such analyzes can detect the vast majority of APIs used by a data object, it is possible that advanced self-modifying code may prevent a thorough analysis of a data object. In one embodiment, server 151 detects whether the code is self-modifying, or may be possible, of self-modifying. The ability of a data object to change can mean that the data object is at greater risk than data objects that are simpler. While many examples of malware on PCs use code self-modification to hide from anti-malware systems, copy protection systems also often encrypt the code to prevent unauthorized access, thus self-modification by itself it may not be enough to classify a data object as malicious, this can be used by an analysis system, in addition to other characteristics, such as behavioral data, to produce an assessment for the data object. In one embodiment, server 151 analyzes behavioral data to determine the capabilities of a data object. For example, server 151 can search for a data object by making phone calls, sending SMS messages, accessing the internet, or performing other actions that indicate a particular application's capability. In some cases, it is important not only to understand which individual functions are used by a data object, but also if an application exchanges data between APIs. For example, an application that uses the Internet and can read the contact list of a device can have multiple capabilities that have significantly different risks. For example, an address book application that simply uses the internet to check for updates has less risk of privacy than an address book application that reads contacts and sends those contacts to the Internet. In one embodiment, server 151 analyzes the data object to determine whether there are any code pathways by which data returned or produced by an API or service is sent to another API or service. For example, server 151 can perform health monitoring between two APIs to determine whether an application transfers data between APIs. For example, server 151 can determine whether there is a code path for a data object, through which data returned by any call to contact the API on a mobile device can be provided in any network API on the device. If there is such a path, server 151 determines that the data object has the ability to send contacts to the internet. Having this capability can be more valuable during other analyzes of the server 151 or by a user than simply knowing that an application accesses contacts and that it accesses the internet. Many applications can use both permissions, however, few can actually send contact details to the internet. A user or an automatic analysis system will be able to use the ability to know that there is a code path between two APIs as strong as an indicator of capabilities than measures of granular capacity. In one embodiment, server 151 executes a data object on a physical or virtual device (for example, simulated or emulated) and analyzes the behavior of the data object when executed. In one embodiment, the physical or virtual device is instrumented so that it reports behavioral data to the data object. In one embodiment, the network traffic of the physical or virtual device, calls and SMS messages are analyzed by the server 151. For example, a virtual device can be configured to report the specific location through its location APIs that are likely to occur in any real-world circumstance. By analyzing the device's network traffic for various encodings at that location, such as a double binary encoding, base 64 encoding, and text encoding, server 151 is able to determine whether the data object's attempts to report the location from the device to a server. In one embodiment, server 151 examines the difference in state of the physical or virtual device before the data object is executed on the device and after the data object has executed. For example, a data object can exploit the kernel on a device on which it is installed, in order to install a stealth rootkit. In this case, a virtual device may show a substantial difference in certain sections of memory, such as in a system called the dispatch table, which should not be changed under normal circumstances. In one embodiment, the physical or virtual device has a custom root certification authority in its list of trusted certificates and servers 151 intercepts all TLS traffic, using a server certificate that is signed by the custom certificate authority, and transfers the traffic to its original destination. Because the device has a custom certificate authority, the data object is able to establish a valid TLS connection through server 151 and all encrypted traffic is able to be analyzed by server 151. In addition to the capabilities of a data object, it may be important for server 151 to gather metrics relating to the effect of a device's execution data object or its use of a device's capabilities. For example, excessive use of the data network, email or SMS messages can be considered abusive or indicative of a malicious or exploited application. In one embodiment, server 151 analyzes application data from many mobile communication devices, such as metadata and behavioral data, device data, and other data that is available to produce metric data that characterize a data object. For example, server 151 can determine the amount of battery usage for devices or for a given type of device, the amount of data a data object sends through any network interface or over cellular versus Wi-Fi network interfaces, how many e-mail messages or SMS messages from a data object are sent, how many calls an object makes, and other measurements. Server 151 can produce other characterization information from that described above, which can assist in additional analysis by server 151 to produce an assessment or which can be directly exposed by server 151. In one embodiment, server 151 analyzes network traffic information associated with a data object for the production of network characterization data, such as the list of servers, the data object connects to the ports and protocols of those data objects that communicate with the servers, how much data is transmitted and received of each server, In one mode, the network characterization information includes what proportion of devices execute a particular data object that connects to each server. For example, an application that connects to an instant messaging server or a bot command known as malicious and the control server can only connect to one or a small number of servers on all devices that are installed, however, a browser or application that allows the user to make specific connections can connect to a large number of different servers on different devices. In one embodiment, if a data object connects to multiple servers, server 151 informs one or more devices not to collect behavioral data from the network so that the data object minimizes unnecessary data communication. In one embodiment, traffic information on the network is collected as behavioral data from mobile communication devices or collected by server 151 executing the data object of a physical or virtual device. In one embodiment, server 151 determines whether a data object causes a mobile communication device 101 to access malicious Internet or other public or private networks. For example, a data object that causes a mobile communication device to access a malicious website can subject the device to exploitation. One embodiment of the present description allows the resolution of addresses transmitted over the Internet or Intranet (for example, URLs) to determine whether the address will direct the mobile communication device to a secure website, instead of a dangerous website or phishing scheme. This information can be stored when it refers to a particular data object. For a user to apply the application policy to a mobile device without having to make a separate decision for each simple application, it can be useful to categorize the applications so that the user can simply decide which categories of applications should be allowed or denied. In one embodiment, server 151 categorizes a data object using the available data, such as application data, device data, market data, and characterization data. For example, if a data object is characterized as the location of the calling APIs on a mobile communication device, then server 151 can categorize the data object as a mapping or other location-based application. In one mode, the categories will be able to directly map the capabilities, such as applications that read your contact list or applications that can send your location to the internet. Other examples of categories include whether a data object transmits contact list information from a contact mobile communication device, whether a data object causes other data, such as a device's phone number to be transmitted by a mobile communication device, and other behaviors that may affect the security, privacy of a mobile communication device. In one embodiment, server 151 uses the metric data from a data object to categorize it. For example, the server may have a category of heavy battery users that includes data objects that typically use more than 10% of a device's battery. Because categorization may be dependent on device data, in addition to characterization data, the category of battery waste may depend on what type of device is to be assessed. For example, a data object that uses more than 10% of a device's battery can use only 5% of another device's battery. In one embodiment, if a data object does not directly provide categorization information, server 151 can deduce that information. For example, if a data object communicates with a known instant messaging server, server 151 may determine that the data object is an instant messaging request. For example, applications that connect to servers belonging to a popular social network can be classified during the analysis of how social network applications, applications that connect to a known malicious IRC server can be classified as a malicious bot, and applications that consume one or more of the device's batteries can be flagged as battery consumers. Since categorizing an application can be subjective and difficult to determine automatically, it may be desirable to have one or more people, within an organization or as part of a collaborative community effort, determine the categories for an application. In one embodiment, server 151 exposes an interface through which users can suggest categories for a data object. For example, server 151 may define a category of applications that are inappropriate for children, applications with content that includes pornography or violence. In this example, one or more users can log into a community voting system provided as a web application where they can search and search for all applications known to the 151 server. The list of applications can be populated by tracking market and data from the application reported by devices. Each app can have a page where users can select their recommended category for that app. In one embodiment, the user interface shows information about the data object, such as aggregated application data, characteristics for the data object and other information available to the server 151 so that users can make a decision based on the output of analyze. In one embodiment, the user interface allows a user to select from a list of categories, add new categories, and add tags for a data object. In one embodiment, the user interface has a discussion component, so that people can discuss an appropriate categorization for a data object. In one embodiment, the category for an application is determined by a voting system by which users can select their preferred category for the application, the category selected by most users, being the authority category for the application. In one embodiment, the user interface is presented on a mobile communication device, shows a list of data objects installed on the device, and allows a user to suggest categories for these data objects. In one embodiment, server 151 processes application data and device data to determine the distribution data for a data object. Distribution data can include how a given application is currently distributed, how much the distribution of the application has grown over the period of time that the application is available, how are the demographic aspects of the customer, such as in which region the application has been installed , and other functions of the prevalence of an application among groups of mobile communication devices. For example, server 151 can examine how many mobile communication devices report having installed a data object at the present time to determine how prevalent the application is. In one embodiment, server 151 uses distribution data to determine the fidelity of a data object, or to analyze a data object for risk, as discussed below. For example, an application that has been installed on many devices for a long period of time without being uninstalled is likely to be less risky than an application that is new to the market and has been installed on only a few devices. Because the server 151 can find legitimate applications that are in development and, therefore, are not widely distributed, a modality of this disclosure is directed to a server 151 to identify which applications may be in development, preventing them from being classified as undesirable as anti -malware or another system. The server 151 can receive application data for a data object indicating that the data object has characteristics inherent in the applications under development, such as debug symbols, debugable permissions or flags, debug link libraries, and other characteristics. Developing applications may also be prone to low distribution or isolated distribution. If server 151 identifies that an application is under development, it can store an indication of the application to be considered when developing and using the indication to prevent server 151 from evaluating the application as suspicious or undesirable, or to decrease the likelihood that the server reaches such assessments. In one embodiment, when determining whether a data object should be treated as "under development", server 151 considers the data objects previously found by devices that found the data objects in question. If devices frequently encounter data objects that are in development, server 151 is more likely to classify the data object, as in development. If devices rarely encounter data objects in development, server 151 is less likely to classify the data object as a development phase. In one embodiment, server 151 establishes the reputation or trust level for the data object. In one embodiment, the confidence level is determined manually or automatically and assigned to a single data object, the various data objects that are part of an application, the various versions of an application, or for all applications by a given developer on one platform or multiple platforms. In one embodiment, the trust of the data is stored by the server 151 in the server or in the data store 111 so that it can subsequently be used directly or as part of an evaluation production. In one embodiment, trust is granted through a manual review process for an application. For example, if server 151 considers the application to be risky based solely on its capabilities (for example, it has access to private data and / or uses sensitive APIs), a user viewing the assessment may choose not to download it, even if the application is well regarded. To solve this problem, the application can be assigned a confidence rate for manual review. If the review considers the application to be trustworthy, the application's evaluation reports are considered non-risky, however, if, after the analysis, the application is determined to be suspicious, the evaluation may continue to classify the application as risky. As a reputable application can consist of multiple data objects, can be updated with new data objects, or can have versions for multiple platforms, it can be important to allow a reliable assessment to cover multiple data objects, applications, and even data platforms. so that a revision manual does not need to be completed for each version or file that is part of an application. Likewise, because many reputable software vendors produce several applications that can be considered reliable, it may be desirable to automatically guarantee a high level of trust for identified data objects originating from these providers. In a mode of the server 151 it guarantees a data object of high level of trust, if the data object can be assigned to a trusted provider or trusted applications through data available to the server 151, such as cryptographic signature of the data object, package name, or market metadata. In one embodiment, server 151 uses distribution data and application data to establish an application's trust. For example, if a popular application, such as Google® Maps, is installed on millions of mobile communication devices and there are several previous versions of the application all having the same cryptographic signature and distribution characteristics, subsequent versions of the application with that cryptographic signature would be considered to have a high level of confidence. If server 151 finds another application that has the same name as a popular application, such as Google® Maps, it is installed on only a few devices, and uses a different cryptographic signature, server 151 may defer the low-distribution application to a low level reliable. An anti-malware system can use such data to indicate that a data object has low confidence to automatically assess a data object as undesirable or to mark it for manual review. In one embodiment, the trust data for an application can take into account the associated applications, such as certain applications to be created by the same developer on the same platform or on different platforms. For example, if a company produces an application on a mobile platform that has a large number of users and good ratings, and the company launches a new application on a different platform, the new application can be assigned with a high confidence rating based on in its association with the first application. In one embodiment, server 151 analyzes application data to determine whether a data object is part of an operating system of the preloaded mobile communication device or by a manufacturer or operator. In one embodiment, if server 151 determines that a data object is part of a mobile operating system or is preloaded, it is automatically granted a high level of confidence. In one embodiment, server 151 analyzes user-generated ratings and comments for an application, such as those in the 1005 application market data collection system. For example, the server can use 151 ratings and analyzes to determine a confidence rating for the application. If an application has a low rating and negative comments indicate that the application "fails" or appears to be "bad", server 151 gives the application a low confidence rating based on the reputation indicated in the comments, however, if an application has good ratings consistently and many favorable opinions, server 151 gives the application a high confidence rating. In another example, a 151 server uses ratings and reviews as a subjective indicator of application quality for use in making assessments for the application. If an application has a significant number of opinions with text indicating that the application "consumes battery" or that "battery is sucked", server 151 determines that the application has a reputation for having adverse battery effects and produces an assessment of the indicating this about the application. In one embodiment, the server exposes trusted data to third parties through an API. For example, trusted applications can be considered certified by the observer. In one embodiment, the level of trust exposed by the API is binary (for example, trustworthy, unreliable), doubtful (for example, 86% trustworthy, 11% unreliable), or categorical (for example, fully trustworthy, malicious, suspect, semi-reliable). Mobile app markets may want to display an indicator of this certification in a download app's user interface as a sign that the app has a good reputation. In this case, server 151 can expose an API by which third parties can provide a data object or identifying information of a data object, such as hash identifier, package name, or cryptographic signature. After receiving a data object or enough information to identify one, server 151 responds with an indication of whether the data object is considered certified or not. In one embodiment, the response is an image that indicates whether server 151 considers the data object to be certified or not. In one embodiment, the response contains a hyperlink to server 151 where a user can verify that the certification for the application is genuine. In one embodiment, the web page referenced by the link shows additional information about the application, such as why it was considered reliable or not (for example, through manual review, comments, distribution data), that permissions are requested by the applications, application features and capabilities, and comments about the application during manual review. Using the data taken by the server 151 or from an analysis system described here, the server can produce an evaluation (block 1113 of figure 11). After the production of the evaluation, the server 151 can store the evaluation of the data object, so that it can be retrieved later (block 1115). The server can then transmit the assessment to the data object (block 1117). For example, the server can publish the assessment on an application provider website, provide the assessment in the form of searchable reports, transmit a notification to a mobile communication device, transmit virus signatures containing the assessment that a particular data object is known as good or bad, and transmitting a response to a query API call for the evaluation of the data object. Such information may be in the form of human-readable text, in a machine-readable format, or may include a "punctuation", a symbol, an icon or other symbolic evaluation. A person skilled in the art will appreciate that other situations in which server 151 transmits an assessment to the data object are possible without departing from the scope of the present invention. In one embodiment, data evaluation includes the output of an analysis system, such as characterization data, data, categorization data, confidence data and distribution data. For example, an assessment for a data object may include (exclusively or in addition to other information) capabilities detected for the data, average battery usage for the data object, average number of SMS messages or emails sent by the data object, the data object connects to the most common servers, the average amount of network data for the data object and trust ratings for the data object. It will be appreciated that the aforementioned assessment data can be provided as an input to server 151. For example, a network operator or company may operate a server that produces assessment data and feeds the data back to a master server. In another example, users can determine the evaluation data and provide it to the server 151 through an interface, such as a web application. In this case, users can provide subjective trust data, risk ratings, a categorization, or other assessment data that can be used by the server. In one embodiment, server 151 combines the assessment data received from multiple sources to produce an overall assessment. For example, if a malware author tries to transmit a rating to server 151, indicating that a malicious application is safe in the hope of causing server 151 to produce a false rating, the server can use the number of unique sources to provide ratings and the reliability of these sources to produce the global assessment. If one hundred assessments are received from different trusted sources, such as network operators and companies that indicate the application to be malicious, but ten thousand assessments from a specific unverified source indicate that the application is safe, the server produces a global assessment, indicating that the application is malicious. In one embodiment, the evaluation data produced by server 151 includes one or more classifications for a data object. For example, an assessment for a data object may include an assessment for the privacy of the data object by the server 151 taking into account whether the application has the ability to send location data, contact data, SMS messages, or files from a device to a server. In another example, an assessment for a data object may include an assessment for the security of the data object by the server 151 taking into account whether there are known vulnerabilities to the application, whether the application perceives network connections on all ports, whether find secure coding guidelines, what is the application's confidence level, and if there are any anomalies in the application (for example, stealth code, deciphered code, structural anomalies). In another example, the assessment of a data object may include an assessment of the impact of the data object's battery, such as the estimated number of minutes of phone life reduction by the server 151 taken into account, taking into account takes into account the battery usage data reported by the devices. In another example, the evaluation of a data object can include an evaluation for the performance of the data object, which is produced by the server 151, taking into account the average CPU usage of the application and the frequency that the application does not respond to events user input. In another example, an assessment for a data object includes a quality assessment that is produced by the server 151 taking into account the frequency of application failures, user comments, user ratings, and the average time that the application is maintained in devices. In one embodiment, server 151 provides various classifications, as part of an assessment, in order to provide information about a data object across various dimensions. In one embodiment, assessments can be binary (for example, good, bad) or diffuse (for example, 100%, 90%, 10%). In one embodiment, the various classifications are combined into an overall assessment. In a mode of server 151 it processes several data sources available to server 151 to produce an evaluation for the data object. For example, the server may use 151 application data, device data, characterization data, trust data, data distribution, and data provided by the user to determine whether an application is malicious. The server can use a variety of systems or models applied to the data available on the server to produce the assessment. For example, producing an assessment of whether a data object is malicious may involve a malware detection system that includes a heuristic mechanism that analyzes characteristic data to identify the behavior of data objects that are likely to be malicious. Some heuristic examples include detecting whether a data object uses any ability to evade detection by hiding from application enumeration systems in the operating system that is installed, whether an application tries to modify itself, whether an application has features associated with known spyware, and whether an application connects to known malicious servers. A person skilled in the art can appreciate that part of the analysis performed on server 151 to produce an assessment can be viewed according to the characteristics extracted from a data object, and another part of the analysis can be seen as the application of a model for the characteristics of to produce a useful assessment, therefore, a wide variety of systems, such as artificial intelligence systems or algorithms, can be applied to process the characteristics of a data object to arrive at a desired form of assessment or assessment. In one embodiment, server 151 produces multiple assessments for a data object that take into account data from different devices or configuration information. For example, if server 151 is configured to produce assessments if a data object works correctly and if a data object works poorly when installed on one type of device, but works correctly when installed on another type of device, the server can produce two evaluations for the data object. If server 151 has an API by which a mobile communication device 101 can request an assessment for a given data object of the identifying information for the data object and the mobile communication device sent data from the device to server 151, then server 151 can provide the assessment for the data object that corresponds to the requesting device of the assessment. If a device 101, when the data object malfunctions, requests an assessment, then server 151 will return the assessment, indicating the data object's malfunctioning behavior on device 101. If a device 101, where the data object would work correctly requests an evaluation, then server 151 will return to the evaluation, indicating the correct operating behavior on device 101. In one embodiment, the assessment indicates whether a data object can be run on a device by a given set of policies by an administrator. If multiple policies are configured on server 151 and data store 111 stores the policy that must be applied to a device 101, then a data object can have multiple assessments that depend on the query device policy for an assessment. For example, if a device with a strict privacy policy requests an evaluation of an application that can share the user's location, server 151 transmits an evaluation indicating that the application is not allowed. If a device with a bland privacy policy requests an evaluation for the same application, server 151 broadcasts an evaluation indicating that the application is allowed. In one embodiment, the assessment data is not stored and the information used to produce the assessment, such as application data, device data, distribution information, characterization information, reliable data, and categorization information is stored and assessment is made after the request applied by the stored information policy. Although automated analysis systems can produce acceptable results most of the time, there may be situations where manual analysis replaces the result of automatic analysis. In one embodiment, server 151 stores the results of manual analyzes for a data object and transmits the results of manual analyzes as an evaluation. For example, server 151 can categorize an application as a social networking application based on its behavioral data, however, the application may actually be a word processing application that allows the user to post notes to a social network. In this case, a user or administrator can override the categorization of the data object, the server 151 stores the categorization and transmitted in response to a request for an assessment for the data object. In another example, an anti-malware system identifies data objects with certain characteristics as undesirable. It may also be desirable for a user to manually configure server 151 to treat certain data objects as undesirable. Server 151 stores a list of data objects that are considered undesirable and, when requesting an evaluation of one of those data objects, it returns an evaluation that indicates that the data object is undesirable. Because it may be desirable for assessments on a data object to reflect the most up-to-date information available, in one embodiment, server 151 first produces an assessment and then updates it if additional application data or device data becomes available or whether the analysis system itself is updated. In one embodiment, if a data object is evaluated again (for example, because of new application data, device data, or updated analysis systems), server 151 stores the new evaluation 1111 and transmits it 1113. For For example, after collecting device data and application data for a ten device data object, server 151 can generate an assessment for that data object. So, if server 151 receives device data and application data from more than 1,000 devices, this can reanalyze the data object, in the light of new data, producing a new assessment for the data object. If the updated assessment is materially different from the first, actions such as notifications by devices or users can be performed by the 151 server. C. Anti-Malware System In one embodiment, server 151 and mobile communication device 101 are configured to work together to prevent malware or spyware from harming mobile communication devices. Since mobile communication devices are limited in memory, processing power, and battery capacity, it may be desirable for the server 151 to perform the scan, such as the scan described here, to determine whether the application is considered to be malware or spyware, instead of each of the devices performing the analysis. In addition, it may be desirable for the server to store the scan results so that if multiple devices find the same application, the scan does not need to be repeated. In addition, it may be desirable for server 151 to collect data in relation to potentially malicious applications, using data collection systems described herein, in order to provide data from a variety of sources for use by analysis systems. In one embodiment, when the mobile communication device 101 evaluates a data object, such as an application package or executable, to determine whether the data object is harmful or unwanted, the device sends a request to server 151 for an evaluation of the data object, the order containing identifying information for the data object. In one embodiment, the request transmitted by the mobile communication device 101 contains application data for the data object that is used by the server in the performance of the assessment. For example, in addition to transmitting identification information such as the name of an application package and hash, the mobile communication device can additionally transmit the permissions requested by the data and information object, such as a list of APIs used, determined by the device by performing a static analysis. In one embodiment, the mobile communication device 101 gathers metadata for a data object using facilities provided by the operating system and potentially additional processing. For example, both the Blackberry and Android platforms provide mechanisms by which an anti-malware application can consult the list of packages installed on a device. Each also provides methods to query additional information about the packages, such as cryptographic signature information and information about how the packages choose to integrate or expose themselves to the operating system. In another example, the mobile communication device 101 can extract characteristics from a data object to assist the server 151 in producing an assessment. In one embodiment, the mobile communication device 101 performs static analysis on the data object to extract data from the application to transmit to the server 151. For example, on Android, the device can analyze the executable part of an application package, commonly called "classes.dex". The device can extract a list of inter-process communication calls directly or indirectly performed by the executable file using the "binder" mechanism and transmit the information about the calls to the server 151 for use in analyzing the application package. In one embodiment, server 151 may analyze the data object immediately, or may have to collect additional information, using a process as described herein. After producing an evaluation for the data object, the server transmits the evaluation to the mobile communication device 101. In one embodiment, the evaluation contains an indication of whether the data object is considered undesirable or not. For example, server 151 can transmit one of three assessments, known as good, known as bad, and unknown. If the server determines that the data object is known to be good (for example, because it has a high confidence level), this will return an assessment that the data object is known to be good. If the server determines that the data object is known to be bad (for example, because it is determined to be a piece of malware), this will return an assessment that the data object is known to be bad. If the server does not have enough information to make a decision, it will return an assessment that the data object is unknown. In one embodiment, the assessment contains a risk level of the data object, or a confidence level of the assessment known as good or known as bad, so that the mobile communication device or its user can use the risk or an confidence level to determine how to classify the data object. In one embodiment, the evaluation transmitted by the server 151 to the mobile communication device 101 contains information on why the server 151 determined that the data object was undesirable. For example, server 151 can transmit the name of a malware family that belongs to a given data object or the server can transmit an HTTP URL referencing server 151 that mobile device 101 can use to display additional information about the data object, the URL containing an identifier that is decoded by the server 151 to allow it to retrieve the stored information about the data object. The web page can display additional information, such as the output of different analysis systems used to produce the assessment. For example, the web page can display distribution information for the data object, information about common servers linked by the data object, the information provided by the human analysis of the data object, the trust data associated with the data object, the information about the geographic distribution of the data object, information about similar data objects, and information about the author of the data object. It may be desirable to minimize the requests from the mobile communication device 101 needed to send data objects to the server 151, so that the device minimizes the amount of data it receives and transmits, reduces the time required to evaluate a data object, optimize battery consumption, and minimize load on server 151. In one embodiment, a mobile communication device 101 maintains a local cache of evaluation information received from server 151. The local cache can be stored in a lightweight database such as such as SQLite or in a proprietary binary file format that is optimized for evaluation storage. For example, the cache may contain an indication that a data object was desirable or not, a level of risk associated with a data object and definition information such as identifying a data object's information. When a device searches for a data object, it can search the local cache for identifying information about the data object. If an assessment for the data object is cached, the assessment is used. If an assessment is not in cache, the device retrieves an assessment from the server 151. In one embodiment, when a mobile communication device inserts an assessment in its cache for a data object found on the device, it generates definition information for the object of Dice. For example, a device can hash a content from a data object to ensure that it caches the results of a server's evaluation. In one embodiment, server 151 transmits the definition information with an assessment, so that the mobile communication device can apply the assessment to the appropriate set of applications. For example, in some cases, server 151 may indicate that an assessment applies only to a specific data object identified by a hash of its content, while in other cases, the server may indicate that an analysis applies to all data objects signed with the same cryptographic key. In one embodiment, a mobile communication device 101 stores a local cache of definitions for data objects known as good and data objects known as bad data for use by a recognition component (described below) that operates on the mobile communication device . Using the recognition component, the mobile communication device can determine an assessment for a suspect data object if the local cache contains a definition and corresponding assessment, which corresponds to the suspect data object. For example, definitions can use criteria such as hash identifiers, package names, and encryption signers to match a data object. Each definition can have a corresponding rating (for example, "good", "bad"). If a definition matches a suspicious data object, the evaluation of the definition is used for the suspicious data object. If there are no definitions corresponding to the data object, such as the data being recognized as safe or not, then the mobile communication device 101 can transmit data from the application to the suspect data object to server 151 for further analysis. In one embodiment, the cache is used as the primary storage for antimalware definitions that determines whether the anti-malware program on the mobile communication device 101 will recognize a data object as malicious or not, without having to query the server 151. In a modality, the cache stores definition information used by a recognition component in the device. For example, the cache may contain definition information, such as package names, cryptographic signers, byte strings, patterns, or logic that are used to combine data objects on a device with cached assessments. If the cache contains a link entry of a particular byte sequence for the assessment of being a malicious application and a data object of a device that contains a byte sequence, then the device will determine which data object is malicious without having to contact the server 151. In one embodiment, the cache contains only definition information, all definitions corresponding to a single evaluation of a data object being malicious. In one embodiment, the cache can contain information about the evaluation, the evaluation information that eventually contains an identifier, as discussed above, which can be transmitted to server 151, so that the device retrieves the information to display to a user . Such an identifier that is used to retrieve data from server 151 allows the cache to minimize information, and store about potential malware. In one embodiment, a cache device serves as both a white list and a black list. The cache contains definition information for data objects known to be good and known to be bad so that if a data object is determined to be known as good or known as bad, the device does not need to ask for an evaluation from the server 151. In a modality, the cache that serves as both a black list and a white list are used by a mobile communication device recognition component to determine whether data objects are known to be good or bad. If a data object found by a device is not recognized as either bad or bad, based on definition data stored in the cache, then the device can transmit data from the application to the data object to server 151 so that the device can receive an assessment for the data object from the server. In one embodiment, the anti-malware program on a mobile communication device is installed with a pre-populated cache of definitions that are modified by the device that receives new ratings or stored ratings are considered invalid. In one embodiment, assessments and cache settings on a device are only considered valid for a period of time so that the mobile communication device does not depend on data that is potentially out of data. In one embodiment, cached assessments and definitions are stored indefinitely and are considered valid, with no time restrictions. In one embodiment, a device stores only certain types of analyzes and definitions. For example, a device can only cache ratings known as good, or it can only cache ratings known as bad. In this case, the definitions are stored only if they have a corresponding evaluation. In one embodiment, a part of the cache is stored in volatile storage, such as RAM, and a part of the cache is stored in non-volatile memory, such as flash. Because volatile memory is typically more limited yet much faster than non-volatile, a device can store the most accessed assessments and definitions in volatile memory while the least frequently accessed assessments and definitions of non-volatile memory. For example, if an antimalware system analyzes data objects each time they are opened, it may be desirable to quickly determine an assessment for a data object if it has recently been scanned and not changed. By storing a recently used definition and assessment in volatile memory, the device can remember the previous assessment very quickly. In one embodiment, server 151 transmits cache control information with an assessment, indicating whether the device should store it and, if so, for how long. For example, a 151 server can transmit an assessment to a popular application from a reputable company, including control cache information, indicating that a device should cache the assessment. If server 151 transmits an evaluation to a lesser known application, it may include cache control information, indicating that the device should not cache the evaluation, as the application may be considered undesirable in the future, after knowing more about him. In one embodiment, server 151 determines the cache control information based on the confidence of an assessment. For example, ratings known to be good for applications that have a high level of confidence can be considered highly confident, while ratings that indicate that an application is unknown due to the lack of data available for the server may not be considered reliable. In one embodiment, when the assessment expires, the cache definition information associated with the assessment is also expired. Since retrieving cached assessments is faster than retrieving from assessments from the server 151 (thus minimizing the delay and overhead by determining whether a data object is malicious or not), it may be desirable to maximize the number of assessments that can be determined locally from cached data. In one embodiment, the server transmits the assessments to a mobile communication device without the device requesting the assessments and the mobile communication stores those assessments in its cache. Because all assessments available to server 151 may require more storage than is desirable on the mobile communications device 101, the server can only transmit a subset of its available assessments. In one embodiment, server 151 determines which assessments are transmitted to the mobile communication device 101 by analyzing device data and application data. For example, server 151 can store the operating system of a data object that is compatible with the assessment associated with the data object, in such a way that the server can query all assessments for a given operating system. The server 151 can then transmit only assessments to a mobile communication device that are for data objects that are compatible with the operating system of the device that is running. The other assessments would not be transmitted to the device, as the data objects referenced by the other assessments are not able to run on a device's operating system. In another example, the server may use a device's field, language, or area code, to determine which assessments to transmit to the device. Users in the United States are not likely to download applications in Russian, just as users in Russia are unlikely to download Spanish-language applications. In one embodiment, the server 151 which stores the evaluations already transmitted to a device and the devices received successfully, so that the evaluations are not unnecessarily retransmitted. If a device has not received the ratings that are desired, the server transmits the rating the next time the device is powered on. In order to efficiently control which assessments have already been received by a device, server 151 can group assessments in such a way that a given device receives all assessments in one or more groups. For example, a given assessment group may have changes (for example, new data objects to be assessed, changes to existing assessments) several times a day, however, a device can be configured to receive updated assessments only once a day . To determine that assessments are passed to a device, the server can record the moment when a device received the last assessments for a group and only examine changes in the group as long as the device has received the latest assessments. For example, if a device receives all ratings for a particular group on Monday and two new ratings are added to the group on Tuesday, then, if the device connects on Wednesday, the server only needs to consult the ratings which have been changed in the group since Monday and will determine that the group needs to transmit only the two additional assessments. In one embodiment, the server uses an impulse service, as described in the present invention for an alert device that there are additional assessments that the server is prepared to transmit to the device. When using this impulse service, when servers update which parts are part of the group, all devices that receive ratings from that group can be updated with the most recent ratings almost immediately. There are a variety of ways in which assessments can be grouped by server 151 in order to selectively transmit the assessment to a device. For example, there may be more evaluations for data objects that are compatible with a particular operating system than is desirable to store on a device. In this case, the server can produce a set of assessments that correspond to the most prevalent data objects, based on the distribution data or data available on the market for server 151. In this case, the devices will cache assessments for the assessment objects. data they are most likely to find. It is also possible to further improve the probability that a device has to cache the data objects it finds by the server 151 by analyzing the application data available on the server corresponding to the data objects previously found by the device and forecasts, with based on those previous encounters, what device data objects are likely to encounter in the future. The assessments for these susceptible data objects can then be transmitted to the device. Due to the ideal amount of assessment data to cache on a device it may be different depending on a device's hardware, user behavior, or user preferences, which may be desirable in order for the amount of data to be adjustable. In one embodiment, the amount of assessment data to cache on a mobile device 101 is determined by server 151. For example, a server 151 can examine the amount of storage available on a device, the frequency with which a user downloads applications and as more cached assessment data is likely to be reduced to the number of required assessment requests transmitted by the device. If a device has a lot of available storage and its user downloads a lot of applications, the server can determine to store a large amount of evaluation data, however, if a device has little available storage and its user rarely downloads applications, then the server can determine to store only a small amount of data or no data at all. The server can also review previous assessment requests made by the device to determine whether those requests could have been avoided by the caching device for additional assessment information. For example, if a device currently receives ratings belonging to a particular group of requests and the server is evaluating whether the device should receive ratings from an additional group of applications, the server pre-examines rating requests to determine how many of those ratings are in the second group. If server 151 determines that a sufficient number of requests for assessments would have been avoided, then it will begin transmitting assessments from both groups to the device. In one embodiment, a user can control the amount of storage to allocate cached assessments from a mobile communication device 101. Instead of always producing an absolute evaluation (for example, known as good or known as bad), it may be desirable for the server 151 to report that it does not yet have an evaluation. In one embodiment, server 151 transmits an assessment to a data object that indicates that the undesirable object is unknown. When the mobile communication device 101 encounters a data object, it transmits a request to the server 151 for an evaluation, and receives an unknown evaluation, the device temporarily trusts the data object and repeats the request for the evaluation at a later time. In order to avoid unnecessary requests, the device increases the time delay between attempts if it continues to receive unknown ratings. During a period of temporary trust, the device does not re-transmit an assessment request each time a data object is scanned. For example, in an anti-malware system on a mobile device designed to scan files into a file system when they are accessed, the first access to a data object may result in the device transmitting an assessment request to the 151 server. the server returns an unknown evaluation, then the device stores a temporary entry in its evaluation database, indicating the identification information for the data object, the provisional evaluation, indicating that the data object is allowed, and the period valid time frame for the evaluation. In one embodiment, server 151 transmits information about a data object in an unknown evaluation and the mobile communication device 101 uses the data evaluation of server 151 as an input to a local analysis system. For example, the mobile communication device 101 may have a heuristic system that analyzes the content of a data object to determine whether it is harmful. In the case of a result known as good or known as bad from server 151, then the device does not run the heuristic system or discard the result from the heuristic system. If a server 151 returns an unknown result, including a confidence level for the data object, device 101 combines the result of the heuristic system with the confidence level provided by the server to determine whether to treat the data object as undesirable or not. . For example, the mobile communication device 101 can scale the result of the local analysis based on the confidence level reported by the server 151. If a heuristic system on the device determines that a data object has 66% risk and an unknown evaluation from the server 151 indicates that the data object has a suspicious level with 1% confidence, the device determines that the data object is undesirable, however, if the unknown evaluation of the server 151 indicates that the data object has a level of 70% then the device 101 determines that the data object is desirable. To respond to requests for undesirables, such as malware and spyware, as soon as they are identified as such, it may be desirable for the server 151 to transmit notifications to the mobile communication device 101 about data objects that are determined to be undesirable that was previously classified as good or unknown. In a mode of the server 151 stores information about the data objects found by the mobile communication device 101 so that, if a data object found by the device was evaluated as being good or unknown, but was subsequently determined to be undesirable, the server 151 can determine that all devices have found the data object and transmit a notification indicating that the data object is undesirable. In one embodiment, server 151 transmits only a notification to device 101 if the data object, which is the object of the notification, can operate on the device's operating system. For example, if a device runs Blackberry and found an Android spyware application, server 151 would not transmit a notification to the device, however, if the device found a Blackberry spyware application, server 151 would transmit a notification. As disclosed herein, the determination of whether a data object can operate on a given device can be determined by analyzing data from the device to the device and application data to the data object. In one embodiment, the communication transmitted from server 151 to device 101 is designed to be consumed by the device and includes both identification information and rehabilitation information for the data object. For example, the notification can use a push service provided by a platform provider and include the package name and hash content for a data object. The notification can also specify a corrective action, such as "killing" all processes that contain the data object, prompting the user to uninstall the data object and delete the data object without user intervention. In one embodiment, the notification includes information for a user's display of the data object, such as correction instructions, an explanation of how the data object is considered undesirable, or a request to take a particular action. In one embodiment, communication is in the form of a readable message, such as a text message, email or phone call. It may be desirable for the server to perform both user-readable and machine-readable notification to ensure that a user responds to a dangerous data object. For example, the server can transmit an email message to a user and transmit a notification to the device to remove the data object without user intervention. In one embodiment, the mobile communication device 101 has a database of all data objects, which are present on the device, and server 151 transmits the updated signature data to the device when a data object found by the device is determined as being undesirable. When the device receives the updated subscription data, it compares the updated subscription data to data objects present on the device. If all objects that are present on the device are considered by the updated signature data to be undesirable, then the device immediately initiates correction actions, without waiting for the next time the data object is scanned. If an anti-malware system performs an assessment for a data object, it may be desirable to trust the data object, as long as it has not changed to avoid having to re-evaluate the data object. In one embodiment, the mobile communication device 101 maintains a list of data objects that has been identified and analyzed and is considered to be desirable. When you want to scan a data object, the device can check this list first to see if the data object is present. If the object again. After scanning a file and determining whether it is desirable, the device places an identifier for the data object in the list. Examples of identifiers include a file name, file system node identifier, or operating system-specific data object. In one embodiment, mobile communication saves this list of data objects for non-volatile storage so that the list can be preserved even if the device is restarted or runs out of battery. When assessments are stored and subsequently accessed, it is important that all stored assessments are valid only for a given set of content of the data object. If the content of the data object changes, a different assessment may be necessary, as the data object may have been modified to include malicious code that was not present in the original data object. In one embodiment, the list contains a cryptographic hash of the contents of the data object. When the device determines whether the data object is considered to be in the list, it compares the hash of the data object, as stored on the device, with the hash value stored in the list. If the hash is found, the data object is considered to be in the list. In one embodiment, antimalware software can determine when files are opened and closed. If a file in the list is opened with write access, then it is removed from the list. As long as the file is open, the file cannot be added to the list. It will be appreciated that one embodiment of the present description contemplates other means to reduce network traffic, providing sufficient options to correct mobile communication devices. In one example, a mobile communication device may request an analysis of all data residing on the device (a "scan") when the mobile communication device is turned on for the first time, or when the application responsible for monitoring mobile communication is launched for the first time. This provides an analysis of the security basis of the mobile communication device. Future checks can be carried out when new applications are accessed by the mobile communication device, or at predefined time intervals, or at the request of the user. Scans can be adjusted depending on access to the 121 network. If connectivity is an issue, then only the most recent data can be evaluated, or suspicious data. Scans can be queued and performed when connectivity improves. In one embodiment, an anti-malware system on the mobile communication device 101 has the ability to run both on demand and on a scheduled scan of all data objects present on a device. If the anti-malware system uses server 151 to perform assessments for data objects, it may be desirable to optimize the time required to perform the scan. Due to network latency there is a delay between the time that an evaluation request is transmitted through a device and the time that the device receives a response from server 151, which may be desirable for pipeline requests, such that the device it just doesn't sit idle while waiting for an answer. In one embodiment, the mobile communication device transmits a request to server 151 to provide assessments of various data objects and server 151 transmits assessments of various data objects to the device. For example, during an on-demand scan, a device can be configured to first enumerate all data objects on the device and then send a request to server 151 to evaluate all enumerated data objects. In another example, a device can enumerate ten data objects at a time, then send a request to the server and receive a response for those ten data objects before scanning the additional data objects. In another example, a device can enumerate data objects and transmit the evaluation request, continuing the enumeration process without waiting for the evaluation responses from the server. The device can only wait for responses when the list is complete. In an anti-malware system that blocks loading or executing a data object until the system has reached a disposition, it may be desirable to evaluate a data object before it needs to be loaded or executed. In one embodiment, the mobile communication device 101 proactively scans data objects and stores the results so that when the data object is loaded, the device can query the result of the previous scan. For example, when a device loads a program that depends on several other files (for example, an executable that is linked to shared libraries), an anti-malware system on the device can scan the program to determine all dependent libraries, submit a request to server 151 for evaluation of the program and its dependent libraries, and then allow the program to run to proceed when the device receives positive evaluation results. When the device's operating system loads the application-dependent libraries, no request to server 151 is required because the system already has updated assessments for the libraries. If the libraries were not proactively analyzed, the total load time for the program could be longer, as the device may have to wait for multiple requests to server 151 to occur in series. In one embodiment, the software on a mobile communication device analyzes data objects after downloading, but before they are executed. For example, anti-malware software on a device can watch the download directory for new files, or they can simply wait for files to be created, written, and then closed. After completing the download, the software can start a scan of the new file so that once the file is opened, the system has already evaluated it and can recall the previous evaluation. If an anti-malware system blocks the requested user or the operating system while it is evaluating a data object, it may be desirable to give the user an indication that an evaluation is ongoing, especially if the evaluation depends on a network connection that can have significant latency. In one embodiment, an anti-malware system on the mobile communication device 101 features a user interface, indicating that a data object is being scanned when the system is scanning the data object and blocks the operations requested by the user. For example, if an anti-malware system prevents applications from running until the application and all of its dependent libraries are evaluated by interposing itself in the application launch process, there may be a noticeable significant delay for the device user. The annoyance associated with the delay can be mitigated by informing the user what is going on, instead of the device simply not responding. When a user launches an application, the device displays a user interface indicating that the anti-malware system is evaluating the application that the user is launching. In one embodiment, the user interface allows the device user not to wait for the scan to finish. For example, if the device scan of a data object needs to connect to server 151 and the user does not want to wait, the user can proceed without waiting for the assessment to return. If the evaluation subsequently returns indicating that the data object is malicious, the device can initiate corrective actions, such as deleting all processes that contain the data object and deleting the data object, even if the data object has been authorized to run. A user may be interested in having an application evaluated, but does not want to wait for a response from the 151 server. The user can choose to forgo the full scan and use the app while waiting for the scan results. In such a situation, it would be useful if the server 151 or the user's mobile communication device 101 can provide a reliable temporary assessment prior to formal analysis. Reports can be in the form of an interface element, a notification, a warning, a risk assessment, or the like. In one embodiment, the mobile communication device 101 can perform a local analysis to determine whether an application is temporarily reliable. It may also be desirable to display information about a data object in a user interface that indicates when an anti-malware system is waiting for an assessment from a server so that users do not accidentally ignore items that are at high risk. In one embodiment, the user interface wait shows the result of the local analysis while waiting for an evaluation from the server 151. For example, the user interface can show the capabilities of the data object or a risk score for the data object . In one embodiment, the device only allows the user to ignore waiting for an evaluation from the server 151 if local analysis determines that the data object is of low risk. For example, a risk score can be calculated by analyzing the access to sensitive functionality of a data object. A data object that accesses the user's contact list and browser history can be considered to be of greater risk than a data object that does not access any sensitive functionality. In one embodiment, an anti-malware system on device 101 determines whether it should wait for a response from server 151 before reaching a conclusion based on the context of the scan. For example, checks that occur during system startup, or when there is no active network connection, should not block waiting for a response from the server. To determine if a network connection exists, the antimalware system can rely on a variety of methods such as querying network interface status information provided by the operating system and analyzing whether requests to server 151 have expired. If the anti-malware system intercepts system calls, scans that occur as a result of the system trying to execute a data object must block while waiting for a response from the server 151, while scanning the result of an application obtaining information about a data object (for example, the file manager extracts an icon for the data object) should not block while waiting for a response. In one embodiment, if a request for an assessment of the data object is not able to be completed, it is repeated at a later time. In one embodiment, the anti-malware system ignores server portions or local analysis if an accurate assessment can be produced without further analysis. For example, if the local analysis determines that a data object is not risky, then the device cannot require an evaluation from server 151 - the device can only require an evaluation from server 151 if the data object being scanned has a minimum degree of risk as determined by a local analysis component on the device. In one example, the determination to ignore the wait for additional results is determined by both the results and the system that returns each result. A "bad" result of the local analysis, before receiving a result from the server 151 may be sufficient to treat a data object as malicious, however, a "good" result from the local analysis may still require the system to wait for an evaluation from server 151 to confirm that the data object is good before determining a final disposition. In one embodiment, if the various analysis systems produce different results, the anti-malware system on a device analyzes the results of the systems to make a determination on the final disposition of a data object, the determination takes into account both the results that were produced and the production system for each result. For example, the anti-malware system may determine that a single undesirable result is sufficient to flag a data object as undesirable. In another example, a server 151 can be treated as an authority or server 151 can transmit a confidence level of its assessment to that device 101 can determine whether the assessment is treated as authoritarian or not. In another example, results known as bad from server 151 may be authoritative, but results known as good from server can be replaced with a result known as bad from a location analysis system on device 101. In one embodiment, server 151 stores a list of malicious software or other unwanted applications that have been detected on the device and are still active on the device. In order to complete this list, the mobile communication device 101 sends events to server 151, including whenever it finds an undesirable application, whenever an undesirable application is removed, and whenever an undesirable application is ignored. Events include identifying information for data objects so that server 151 can correlate events with known data objects. For example, because a user can choose to ignore malware, it is important that the user be able to view their list of ignored malware to avoid a situation where a malicious user installs malware on someone's phone and sets up anti-malware software on phone to ignore the malware, preventing the system from automatically removing it. In this circumstance, the legitimate phone user is able to say that a piece of malware is active on his device, but is ignored. In one embodiment, because server 151 has data that indicates whether device 101 currently has active malware, access to the network can be allowed or denied to the device according to its malware status by a network access control system. querying server 151 for the status of a given device. In one embodiment of the present description, secondary server or "cloud" analyzes can be performed using a version of the three-component system described in U.S. Patent Application No. 12 / 255,621, which is incorporated here completely here. An example of a three-component system is illustrated in Figure 9 and includes a first component 903, which can be used to recognize data that is safe, or "well known" (also referred to herein as being part of or included in a "white list"). A second 905 component can be used to recognize data that is malicious, wasted device resources, or is "known as bad" (also referred to here as part of, or included in a "blacklist"). A third component 907 is a decision component that can be used to evaluate data that is known to be neither good nor bad, that is, "unknown". In one embodiment, the component known as good 903 and a component known as bad 905 may reside in mobile communications device 101, and decision component 907 may reside in server 151. In one embodiment, the component known as good 903, the component known as bad 905 and decision component 907 may reside on server 151. In one embodiment, portions of the component known as good 903, the component known as bad 905 and / or decision component 907 may reside on the communication device mobile 101, and the portions of the component known as good 903, the component known as bad 905 and / or the decision component 907 can reside on server 151. In one embodiment, the component known as good 903 and the component known as bad 905 reside on server 151, while decision component 907 resides on mobile communication device 101. For example, data store 111 may contain malware definitions that are continuously updated and accessible by server 151. The mobile communication device 101 can be configured to send application data, such as a hash identifier, to a suspicious data object to the server 151 for analysis. Server 151 may contain the component known as good 903, the component known as bad 905 and decision component 907, or the components may be distributed across two or more servers. One or more servers can therefore use the application's data to determine whether the suspect data object is a known secure data object. If the suspicious data object is known to be secure, then one or more servers can notify the mobile communication device or instruct the device to accept and process the data object. One or more servers can then use the application's data to determine whether the suspect data object is known to be malicious. If the suspect data object is known to be malicious, then one or more servers can notify the mobile communication device or instruct the device to reject the data object, and no longer process it. Components known as good and those known as bad can have a variety of methods for recognizing data objects known as and known as bad. The data, logic, and any other information used by components known as good and / or components known as bad to identify data objects known to be good or known to be bad, respectively, can be called "signatures" or "definitions" (explained below) ). If components known to be good and known to be bad are not conclusive, one or more servers can perform additional analysis to reach a decision on the disposition of the data object. In one embodiment, server 151 contains a decision component that uses one or more analysis systems to analyze application data for the data object and make a determination as to whether the data object is considered undesirable or not. In one embodiment, if there is not enough information to perform the additional analysis, then one or more servers can request that a mobile communications device send additional data from the application to the server for analysis. For example, a device may initially send a hash identifier, packet name, and cryptographic subscriber information to a data object to a server for analysis. If the component known as good or bad cannot identify the data object known as good or bad, the server can request that the device send the complete data object to the server so that the data object itself can be analyzed. Upon receiving the additional data from the application, the additional analysis reaches a disposition as to whether a device must accept or reject the data object that can be executed by decision component 907, or manually. In one embodiment, the server either stores a specific data object or not needs manual analysis so that an analysis team can easily determine which data objects need to be analyzed. Because an evaluation for a data object can be invoked in the human analysis to be produced, server 151 can use the analysis systems to store a list of suspicious data objects that need further study. In one embodiment, some results from the analysis system on server 151 produce assessments that are transmitted to the mobile communication device 101 and other data objects identify human analysis as necessary. For example, if server 151 uses a set of heuristics to identify malicious applications, a set of heuristics can be well tested and provide acceptable accuracy in correctly identifying malicious behavior, while another set of heuristics can be experimental, requiring a human analysis to determine whether the results are acceptable. In the following, each of the components identified above will be described in more detail. A person skilled in the art will appreciate that once the total number of applications known to be good for mobile devices can be identified, the use of the component known as good 903 coupled with a database, logic, or other data to store definitions that contain data objects known to be good (for example, application data, such as hash identifiers) can significantly reduce false-positive detection of undesirable applications and reduce the need to perform computationally costly analysis or contact a server for analysis. A knowledgeable person will also appreciate that the use of a component known as good 903 can be particularly effective for data that contains executable software code. The executable software code for a given application rarely changes between different mobile communication devices, thus creating a database of data known to be good or a logic to assess whether application data can be an effective method for recognizing secure data or reliable. This database may vary in size, depending on the resources available on the mobile communication device. Alternatively, aspects of the present disclosure, such as components known as good or bad, may have access to a remote server with a large library of application data for data objects known to be good or bad, such as the coupled server 151 to a data store 111 in figure 1. In one embodiment of the present description, the component known as bad 905 may have access to a database, logic, or other data that contains definitions for storing data objects known as bad that can be stored on the mobile communication device without take up a lot of memory. For example, definitions of viruses and other malware or spyware may include application data, such as hash identifiers, package names, signers of encryption, byte strings, and byte patterns stored in a database or other memory cache. In other words, there may be a known bad database that complements the database known as good stored on the mobile communication device 101. Additionally or alternatively, the component known as bad 905 may be able to identify malware using features common to other malicious software code. When applied to network data or data files, a component known as bad 905 may have access to a database containing the standards and other characteristics of a protocol data unit or file format that poses a security threat. The component known as bad 905 can also identify data that undesirably affect a mobile communication device, such as exposing the transmission of private or unauthorized information to third parties, or using the device's resources unnecessarily. Similar to the component known as good 903 and the database, all data identified as "bad" can be deleted, quarantined, or rejected for further processing by the mobile communication device. If a known data object is detected, a method of this disclosure may also display a notification or other message similar to that described in pending US patent application No. 12 / 255,635, entitled "SECURITY STATUS AND INFORMATION DISPLAY SYSTEM", filed on 21 October 2008 and incorporated here in its entirety. Decision component 907 can be used to evaluate data that cannot be characterized as good or bad. Since most of the data received on the mobile communication device 101 can fall within this category, this component can reside on server 151. This component can use a variety of methods for producing an assessment for a data object, including the use of any of the analysis systems described here. For example, decision component 907 may apply static analysis, dynamic analysis, distribution analysis or other analysis methods in order to determine whether received data can be passed on to its intended or rejected destination to prevent damage from falling on the device . Examples of this analysis are discussed below. The following examples illustrate how one or more servers can be used to augment or replace the methods described in U.S. Patent Application No. 12 / 255,621. Various systems containing the component known as good, the component known as bad, and the decision component are possible. Depending on the specific types of data to be analyzed and the types of security threats to be prevented, different execution orders and applied logic for each component output can be employed. In one embodiment, if the data is not determined as good for the component known as good 903 (block 805), it will be rejected from processing 813. The data that determines as good the component known as good 903 (block 805) is further analyzed by the components known as bad 905 (block 807). If the bad component 905 determines that the data is bad (block 807), it is rejected from the processing of 813, otherwise the data can be analyzed by decision component 907 (block 809). In one embodiment, if the data is not determined to be known as good by a component known as good 903, the component known as bad 905 analyzes it. If the component known as good determines the data as good, it is allowed. If the component known as bad 905 determines the data as bad, it will be rejected from processing 813. If the component known as bad 905 does not determine the data as bad, the data can be analyzed by decision component 907 to obtain an assessment for the Dice. An example of analyzing network data or data files present on a mobile communication device is shown in figure 8. As shown in figure 8, block 801 can involve collecting data sent or received from the mobile communication device. The data can be analyzed to identify its protocol and range status (block 803). In block 805, the component known as good 903 residing in the mobile communication device can evaluate the collected data for characteristics known as good. Features known to be good may include features discussed previously or described in U.S. Patent Application No. 12 / 255,621. If the data contains characteristics known to be good enough, they may be allowed to proceed to their intended destination (block 811) to perform processing, or another operation. Alternatively, the data can be further analyzed by the component known as bad 905 residing in the mobile communication device to confirm that the data is really safe (block 807). If the component the component known as bad determines that the data is really safe, then the data can be allowed to proceed to its intended destination (block 811). Decision component 907 may also be available to provide a final check (block 809) before allowing the data to proceed (block 811). The analysis of a data object can be performed at any time. For example, the data object can be evaluated before accessing or downloading, or after downloading, but before installation, or after installation, before installing a new version of the data object, or after installing a new version of the data object, if the data is an application. In one embodiment, a data object that has not yet been transferred to a device is evaluated using identification information about the data object. For example, if an app market accessible to a mobile device makes apps available for download and provides identifying information about the data object, such as a hash of the app’s content or a package name for the app, the program on the mobile communication device can use the identification information to determine an evaluation for the application by evaluating the identification information locally through any of the systems described here or by transmitting the identification information to server 151 and receiving an evaluation the server. In this way, the program on the mobile communication device that can assess whether applications are undesirable or not before a user downloads them. At any point during the analysis, if any component known to be good 903, component known to be bad 905 or decision component 907 (discussed later) determines that the data is not good, or to state that there are security threats, data inconsistencies, and etc., then, in block 813 the data will be blocked, rejected, deleted or quarantined. In one embodiment of the present description, information from the signaling or security event can be updated to record the encounter with the contaminated data. The analysis of executable data, such as applications, programs and / or libraries on the mobile communication device can continue as illustrated in figure 9. In block 901, the executable is determined to need to be classified as good or bad, as a result of an attempt to access the executable file, the installation of the executable, or the executable being downloaded or transferred to the mobile device. The executable may or may not be pre-processed to extract additional data from the application, such as a hash identifier, cryptographic flag, package name or other characteristics, before being evaluated by the component known as good 903 resident on the mobile communication device (block 903). This assessment may include comparing the hash identifier of the executable or other characteristics against a database of characteristics known to be good, which identifies whether the executable has characteristics known to be good enough, or any of the criteria discussed above or described in the US Patent Application No. 12 / 255,621. If the executable is recognized as a known good, then in block 911, it can be allowed to execute its code or proceed to its intended destination for processing or other operation. If the component known as good 903 does not release executable data, then the component known as bad 905 residing in the mobile communications device can perform its analysis (block 905). If the component known as bad 905 confirms that the executable is malicious, then the executable can be quarantined, rejected, or deleted, and the event can be logged (block 909). If the component known as bad 905 is unable to characterize the executable, then decision component 907 can perform its analysis, as further described below (block 907). If decision component 907 ultimately determines that the executable is safe, then the executable is allowed (block 911). If the decision component 907 ultimately determines that the executable is not secure, or remains in doubt, then the executable can be quarantined (block 909). One skilled in the art will realize that executables can contain code that can cause significant damage to the mobile communication device, which will require more rigorous analysis before the executable is released. One skilled in the art will appreciate that this component known as good 903 and the component known as bad 905 can be kept on the resident mobile communication device, just by storing definition information about the applications most likely to be accessed by the mobile communication device. . As described above, this information can be determined, for example, based on data from the device, the applications previously installed on the mobile communication device, and the way the mobile communication device is used (for example, work versus entertainment, access to public networks versus private networks, etc.) It will be appreciated that each mobile communication device can store different definition information, and that a modality of the present description contemplates such granularities. As discussed above and throughout the description, one embodiment of this description is directed to the analysis of the secondary data server, in the case that a component known as good 903 and a component known as bad 905 are unable to determine whether the data is secure. In one embodiment, decision component 907 resides on one or more servers 151 in communication with the mobile communication device over the network 121, that is, "in the cloud". The decision component may have one or more analysis systems, such as the analysis systems described here. Because decision component 907 resides in computing resources that are more powerful than the mobile communication device, this can provide a more robust analysis to determine whether the data should be considered good or bad for the 101 device. analysis taken by server 151 can take advantage of the data collected by the server to produce an assessment that would not be possible, based only on the data available for the mobile communication device 101. For example, decision component 907 on server 151 may determine that a data object is malicious, if the behavioral data reported by devices indicates that the data object sends value-added SMS messages or dials value-added phone numbers on devices it is installed on. In one embodiment, decision component 907 uses one or more types of internal analysis systems to characterize whether a data object is good or bad. Decision component 907 is designed to detect security threats without specific definitions for protection threats. In other words, decision component 907 can operate as an additional security component to compensate for possible failures of the component known as good 903 or the component known as bad 905 and to identify new threats, which have not been previously identified. A person skilled in the art will appreciate that there are a number of analysis systems that can be used by decision component 907, including, but not limited to, systems using heuristic methods, rules-based or non-rules-based expert systems, systems of logic fuzzy, neural networks, or other methods by which systems can classify a data object. As described above, these systems can use a variety of data available to decision component 907, including, but not limited to, distribution data, characterization data, data categorization, confidence data, application data, and the like. For example, decision component 907 can analyze applications, libraries or other executables on a mobile communication device. In one example, decision component 907 may contain a neural network, which analyzes the characteristics of an executable file and determines a security assessment based on the network's binding characteristics. These characteristics can be determined based on information contained in the format of the executable file or as a result of processing the contents of the executable file. In another example, decision component 907 may contain an intelligent system that analyzes the behavior of an executable through function calls, system calls or actions that an executable can take on an operating system. If a sensitive executable access system calls in a way that means malicious behavior, the system may signal that the executable is potential malware and action can be taken. If the decision component 907 is located on the mobile communication device 101, it may be desirable to update rules or analysis parameters regardless of updating the executable code by turning on the decision component. In one embodiment, decision component 907 contains a decision system based on a virtual machine by an executable that can be classified by a set of rules that can be updated independently of the decision component itself. Such a system is capable of adding a new logic to detect certain new classes of undesirable applications flying over without having to update the entire decision component. The system can pre-process the executable file so that the logic of the virtual machine can symbolically reference the executable instead of having to process the executable itself. In one example, decision component 907 can consider third party information to evaluate the data. A person skilled in the art will appreciate that a mobile communication device 101 is capable of accessing an application provider, such as the Apples's App Store, Android Market, or another program repository or digital distribution platforms to provide applications available for download and installation on mobile communication device. In one embodiment, server 151 has access to these application providers and can collect information about specific applications. For example, server 151 can search for and collect user-generated comments or ratings about applications. An application that has favorable votes can be considered safe, while an application with significantly negative ratings can be considered undesirable. Because server 151 can also determine trust data for data objects, rating an application with negative comments can only indicate that the application is undesirable if the application has a low confidence rate, while an application with a confidence rating high and negative comments can still be considered desirable by an anti-malware system. The above examples illustrate how decision component 907 can use a number of analytical methods in order to comprehensively assess the level of threat of data received or transmitted by a mobile communication device. Other examples can be contemplated without departing from the scope of this disclosure. A person skilled in the art will realize that the identifiable good and bad identifications of data objects, such as by a mobile communication device 101 or server 151, can be performed by a single component instead of "known as good" and "known as" components. bad "separately. In one embodiment, a recognition component alone performs the functionality of both identifications of data objects recognized as good and recognized as bad. In one embodiment, a recognition component uses definitions to determine an assessment for a data object. The recognition component first examines the application data for a data object to determine whether any definitions match the data object. For example, if the recognition component has access to definitions that are hashes of the content of the data object, a definition that has the same hash as the hash of a given content of the data object is determined to match the data object. In another example, if the recognition component accesses definitions that contain byte string signatures, the definition with a sequence of bytes contained in the content of a data object is determined to match the data object. Each definition can be associated with an evaluation, so that the recognition component can examine the application data for a data object to determine a corresponding definition, determine a corresponding evaluation for the definition, and therefore produce an evaluation that corresponds to the data object. For example, application data for a data object may include identifying information, so that the hash of the data object, the package name, the unique identifier, or other application data, such as the contents of the object. Dice. In one embodiment, the definitions used by the recognition component represent known data objects. In this case, when the recognition component determines whether an evaluation for a known data object corresponds to a data object being analyzed, the data of the analysis object and the known data object do not have to be exactly the same. For example, if a first application from a particular developer is determined to be undesirable through analysis (for example, manual analysis, automatic analysis), a definition can be created for the first package name of the application that matches that of the first app. If the developer creates a modified application that has the same package name as the first application and the recognition component finds the modified application, the definition is determined to match the modified application because the package name in the definition matches the application's package name modified. The recognition component then determines that the undesirable rating for the first application applies to the modified application. For example, a recognition component can access a definition database, each definition, indicating a hash of the content of a data object and an indication of whether a data object to which the definition corresponds is considered good or bad. In one embodiment, the definitions used by one or more recognition components operating on server 151 are stored on server 151 or in data store 111. In one embodiment, the component known as good 903 and the component known as bad 905 are implemented on server 151 via an acknowledgment component. For example, a component known as good can include a recognition component where all definitions accessed by the recognition component correspond to an assessment that a data object is considered to be good. In one embodiment, components known as good or bad are each implemented as recognition components that correspond to the application data for a data object against the application data known as good and known as bad. For example, a component known as good may have a list of hash identifiers known as good, package names, and cryptographic signatures that attempt to match the data objects being analyzed. In one embodiment, if a data object has no characteristics on the list of known to be good, it is considered safe. In one embodiment, the server can use a similar system known as bad that corresponds to application data known to be bad for application data for a data object being analyzed. Other systems for analyzing known as good and known as bad are possible without departing from the scope of this disclosure. In one embodiment, the recognition component produces a variety of assessments, not just "good" or "bad". In one embodiment, the recognition component uses a single evaluation instead of storing multiple evaluations if all definitions have only a single corresponding evaluation, as in the case where the recognition component only identifies whether a data object is "known as bad". Other variations are possible without departing from the scope of this description. Figure 12 illustrates an embodiment of the present description used to evaluate data objects from a mobile communication device. A mobile communication device 101 can first initiate a scan of a data object, as in the case of a complete system scan, or when the data object is running or installed 1201. The recognition component evaluates the application data for the data object (for example, the name of the package, hash of the content of the data object, unique identifier, content of the data object) to determine whether a definition accessible to the recognition component matches the data object (block 1202). For example, as discussed above, the match may include the corresponding identifying information for the data object with the data contained in the definition or combination of the content of the data object for the strings, patterns or logics contained in a definition. If a definition corresponds to the data object, then the recognition component determines the corresponding valuation for the data object. In one embodiment, the recognition component in block 1202 uses a data store of definition and evaluation information. For example, as discussed above, the settings stored on the mobile communication device can be pre-filled or completed when the mobile communication device receives the definition and evaluation information from the server 151. In one embodiment, the settings stored on the communication device mobile that can be considered as a cache, the working cache, as described above. If the recognition component of the mobile communication device determines an evaluation for the data object (block 1203), the evaluation is processed to determine how to treat the data object (block 1204). For example, if the assessment indicates that the data object is malicious, then the mobile communication device can disable the data object from being executed or prompt the device user to uninstall the data object. If the recognition component in the mobile communication device does not determine an evaluation for the data object (block 1203), then the mobile communication device 101 transmits information about the data object, such as the application data (for example , identification information, data object content) for server 151 (block 1205). The server receives the data object information (block 1206), and a recognition component on the server evaluates the data object information to determine whether an accessible definition for the recognition component matches the data object (block 1207). If a definition corresponds to the data object (block 1208), then server 151 determines an evaluation for the data object and transmits it to a mobile communication device (block 1209). If the recognition component does not determine a corresponding definition or evaluation for the data object (block 1208), a decision component on the server analyzes the information of the data object (block 1210). If the decision component produces an assessment, then server 151 transmits the assessment to the mobile communication device (block 1209). If no evaluation is produced by the decision component, then the server transmits an indication that the data object is unknown to the mobile communication device (block 1209). The mobile communication device 101 receives the evaluation from the server (block 1211) and processes the evaluation information to determine how to treat the data object (block 1204). In one embodiment, the mobile communication device 101 adds information from the evaluation received from server 151 to its local definition cache when it processes the evaluation information (block 1204). For example, the device can store information, such as a provision for the data object (for example, "known as good", "known as bad", "malware", "spyware"), an identifier transmitted by the server 151, and the definition information generated by the device or transmitted by the server 151 (for example, the hash of the content of the data object, the name of the package of the data object). In one embodiment, the mobile communication device performs the analysis of a data object to be scanned using a local decision component on the mobile communication device, before transmitting the information of the data object to the server 151 in the event that the recognition component of the mobile communication device does not determine an assessment. In one embodiment, the analysis by the local decision component and the transmission of data object information to the server occurs in parallel to minimize a user's delay. A person skilled in the art will realize that a variety of component configurations, in a combined anti-malware and client-server system, are possible without departing from the scope of the present invention. In one embodiment, mobile communication device 101 transmits authentication information, such as authentication credentials or session information to server 151, always sending information about a data object so that the server can associate information exchanged with a given account on the server. D. Application Evaluation and Advisory System The earlier parts of this disclosure describe various systems and methods for collecting different types of data from one or more mobile communication devices and other sources, as well as analyzing the data collected to produce assessments of the data objects. The following is a discussion of how server 151 can use assessments to display, expose, via API, and a variety of other proposals. Some examples of evaluations that have been disclosed in the present invention include the output of one or more analysis systems (for example, characterization data, categorization data, confidence data and data distribution) and one or more evaluations for an object of analysis. data (for example, security assessment, privacy assessment, battery assessment, performance assessment, quality assessment). A person skilled in the art will appreciate that the information regarding the evaluation of a wide variety of information that can be used to understand the effects of installing a certain data object on a mobile communication device goes beyond the evaluation of a typical antimalware system, to find out if the data object is malicious or not. In addition, this assessment information can be used to guide decisions to download and install different types of data objects. This information can be useful for an individual user trying to decide whether to install a particular application on their mobile device. This information can also be useful for an IT administrator trying to decide whether to deploy a particular application to a plurality of mobile communication devices. In one embodiment, a user or IT administrator can use this information to assess application policy application. A person skilled in the art will appreciate that the data available for the server 151 and the assessments produced by the server are also useful for other proposals besides anti-malware. For example, assessments can detail whether a data object is known to consume excessively the battery of a mobile communication device, or whether a data object uses an undesirable amount of network resources. Because server 151 continues to gather, store and analyze data for the production of assessment information, In one embodiment, server 151 can provide information that details how a data object is estimated to affect a mobile communication device before the object data to be installed on the mobile communication device. For example, the server can provide 151 estimated battery usage information and / or network usage information for an application. When users interact with assessments, it may be desirable that assessments represent an appropriate level of granularity so that users do not feel that assessments are too broad or too short. In one embodiment, server 151 joins the assessments of several data objects into a single assessment and transmits the assessment resulting from this merger. For example, if an application contains multiple data objects (for example, executables, and multiple libraries), a user may want to see an evaluation for the application as a whole, not multiple evaluations for its constituent data objects. Likewise, if there are multiple versions of an application (on a single platform or multiple platform) that have similar characteristics, an administrator decides whether he wants to see a single application rating that covers all versions of the application. In order to gather evaluations of various data objects, server 151 can use application data, such as file paths, version numbers, package names, encryption signers, installation source and other information to determine that a group of data objects belong to a particular version of an application and / or that one or more data objects or group of data objects belong to different versions of an application. For example, if a set of executables are commonly seen in the same directory together, server 151 can determine that the executables are all related to the same application. In another example, if an application package has a package name and a version identifier embedded in it, server 151 can determine that two data objects with the same package name and the user-readable application name, but that version identifiers for different versions are multiple versions of the same application. Since it may be desirable for assessments to provide a consistent form of information across platforms, one embodiment of the present description is directed to server 151 which includes some or all assessments for data objects that operate on different platforms. For example, although the location of the APIs on different smartphone operating systems is very different in their functions, server 151 can perform the operating system-specific analysis on data objects to perform a cross-platform assessment if each data object accesses the location of the device. If the assessment were in the form of a list of resources for the data object, both a BlackBerry mapping application and a location-based social network on an Android would have the ability to "access the device's location". Likewise, battery usage can be calculated differently on each platform, but server 151 can produce a multi-platform assessment of estimated daily battery usage measured as a percentage of total battery capacity. In one embodiment, interleaved assessments for various data objects include information on the range of characteristics and categorization of data objects. For example, an assessment may show a trend in battery usage for multiple versions of an application. An application that used the battery a lot in an old version, but recently reduced battery usage may be acceptable, while an application that has consistently high battery usage may be unacceptable. One form of this disclosure is directed to the server 151 to make evaluations of the data objects available through a web interface. For example, users may wish to be able to learn more about the features and capabilities of the applications that their mobile devices have. Server 151 can display, as a web interface, an application index in which evaluations are available and an evaluation for each of these applications. In order to facilitate the easy location of applications, server 151 can organize applications in various ways, such as, in alphabetical order, by their characteristics, by their evaluation, and by the platform. In addition, server 151 can allow a user to search for applications using terms that match the application name, description or application rating fields (for example, all applications that run on the Android operating system and send the location to the internet). In addition, the ratings they display publicly can help with application transparency. For example, application vendors can direct users to the evaluation page generated by server 151 as a third-party evaluation independent of an application's capabilities so that users can check what the application is doing. In one embodiment, the server generates a web interface that allows the user to view the conditional rating of an application based on the device's data (for example, how much battery drain using the application on a Motorola Droid, how much network data the application uses. AT&T Wireless) and compare the different conditional ratings (for example, the battery usage of this app on a Motorola Droid versus an HTC Hero, how much network data this app uses on AT&T Wireless versus Verizon Wireless). Such conditional assessments can be useful for identifying anomalous behavior in particular circumstances, for example, the assessment page may indicate that a particular set of devices, versions of the operating system, or other applications installed on a device cause a higher error rate. or an anomalous change in certain evaluation features for this application. In one embodiment, server 151 identifies data objects with extreme values for certain evaluation values. For example, server 151 can generate a web page that identifies which applications use more than 1 GB of network data per month or which applications use more than 10% of a device's battery. Since the evaluation data generated by the server 151 can be used to provide a variety of other products and services, one embodiment of the present description is directed to the server 151 that exposes the evaluation data through an API. All functionality exposed by a web interface, as described above, can also be exposed as an API so that a variety of products and services can be built. For example, server 151 may provide an HTTP API, which provides the package name of the data object or hash of the content in the URL request will result in the server returning an evaluation of the data object identified by the package name or hash of the content. In another example, server 151 can generate a JavaScript file that can be included by a remote web page and display an interactive assessment view for a given data object. In one embodiment, server 151 can cause evaluation data, such as an evaluation or disposition to know whether an application is desirable or not, to appear in an application market. It will be appreciated that application markets can be implemented in a variety of ways, such as by using a website, using a mobile client application, using a PC-based client application, and using a messaging service, such as SMS. As such, instead of subjective data information provided by users, one mode of this disclosure will provide objective assessment information for an application or other data object. For example, server 151 can provide an API, which can be queried for evaluation data, or a server 151 can proactively analyze all applications available in an application market, transmitting evaluation data to the application market provider . In a modality, a user can search the application market only for applications that meet certain desirable criteria, such as security, privacy, device efficiency, reliability, and the like. In one embodiment, application providers can use aggregate information to provide quality control measures. The application provider can only submit applications that meet certain battery efficiency criteria, a standard for an acceptable number of failures or errors, limitations of certain traffic networks, protection of privacy, and the like. In this way, a modality of this disclosure can improve the offerings in an application market, encouraging developers to create better applications. In one embodiment, the information about the assessment can be used as a certification system, in which an application meets certain criteria can be marked with a symbol, badge, or other icon to indicate the positive assessment for the application. For example, applications that have a high confidence rating or applications that access only a minimal set of personal information can be considered certified. In order to verify the certification of an application, the certification marker can have a link or other means for the user to seek a complete evaluation of the 151 server. In one embodiment, server 151 transmits the evaluation information to the mobile communication device 101 for display. For example, a mobile device may have an interface through which a user can explore the ratings of all applications installed on the device. The interface can allow a user to view the evaluation information for a given application, as well as allow a user to see which applications match a set of evaluation criteria (for example, all applications that send the device's location to the internet , the 10 that use the most battery, all applications that use more than 50 megabytes of network traffic per month). In one embodiment, the mobile communication device 101 displays an interface as part of an application market, an application download process, or an application installation process on a mobile communication device, so that a user browsing an application available to download or install / download, view the evaluation information for the app. When browsing, downloading or installing a device it transmits identification information to server 151 and receives an assessment for the application, displaying some or all of the assessments in a user interface. For example, the interface can show the capabilities of the application or the characteristics of the application. The interface can also be interactive, allowing the user to explore aspects of the evaluation, requesting additional evaluation information from the server 151, if necessary. In another example, the device may present a confidence indicator for an application, as determined by server 151 and transmitted to device 101 as part of an assessment, the confidence indicator can be presented in several ways, including as a certification (for example, "Lookout ™" certificate) or as an evaluation (for example, "A +", "B-", "C +"). In some cases, users will not read long security explanations, so it is important to display security information about applications in a way that is easy to understand. In one embodiment, a mobile communication device 101 presents a graphical evaluation indication for the application. For example, significant aspects of assessments can be displayed as icons or symbols for the application. Some examples include badges such as "battery efficient", "battery consumer", "location access", "spying ability", "social network", and "app file sharing". The badge for each evaluation of the illustration may include an illustration that makes it easy to understand and a color indication of whether the evaluation is merely informative or potentially critical or something. For example, an application that is battery efficient may have a green icon showing a full battery, while an application that uses a lot of battery may have a red icon showing an empty battery. Because server 151 continually gathers better information and assessments, the assessment information can be updated in application markets and / or mobile communication devices that have the assessment information cached. For example, server 151 may send a notification to the mobile device market application or indication that the new evaluation information is available. In another example, server 151 can simply transmit the updated evaluation information, so that the old information is replaced. In addition to viewing assessments on a device for data objects that are installed on that device, it may be desirable to view assessments for data objects installed on a device from a web interface. For example, a user may want to use their PC to explore the ratings of applications installed on their device. As discussed, in one embodiment, the mobile communication device 101 transmits data from the application to the data objects installed to server 151. Because server 151 can store applications that are currently installed on device 101, the server can generate an interface to view the ratings for those applications. For example, server 151 can generate and transmit a web interface allowing a user to view a list of all applications installed on a device, view an evaluation for each installed application, and explore installed applications that match specific evaluation values (for example, example, all apps that can access my location). To prevent the disclosure of private information, server 151 may require a user registry that uses authentication credentials in order to view the application's ratings on your device. In addition, a company administrator may wish to view assessments for a group of devices from a central management console. In one embodiment, server 151 generates a web interface that allows the user to view evaluations of applications installed on various devices. For example, the web interface can allow a user to explore all applications that are installed on a group of devices that correspond to a certain evaluation field (for example, file sharing applications) to view risk assessments for the group of devices. devices, view all capabilities for the applications installed in the deployment, and determine which devices and applications are causing some capabilities and risk exposures. A user can start using server 151 to generate a general set of security, privacy and battery risk assessments for the device group, then click on an assessment to see the list of applications that contribute the most to the assessment of risk. A user can then see which devices have a given application. In another example, a user can start using server 151 to generate a list of all installed application capabilities for the group, and then click on a particular capability to view all installed applications in the group that have that capability. From there, the user can further explore which devices in the group have a particular application installed. In one embodiment, assessments for a group of devices are exposed by server 151 in the form of an API for use by external services, such as management consoles. For example, server 151 can expose risk ratings for the device group to a centralized security reporting system via the HTTP API. Mobile communication devices, network and battery data are often limited, so that applications can adversely affect the device's battery life and can cause the network to become overloaded. One form of this disclosure is directed to the use of evaluations to sensitize users about the use of battery and application network and to alert users in case of abusive applications. The software on the device retrieves an assessment that contains battery and network usage characteristics for a 151 server application and displays the assessment to the user. As described above, a device requesting evaluation information from server 151 can include application data for the application. The assessment can be customized for a specific user device that uses the device to send data from the device when retrieving the assessment or sends authentication data from the assessment that associates the requested assessment with the previously transmitted device data. For example, the assessment may indicate that an application is likely to reduce the battery life of a user's model phone by 5% or 1 hour; considering that a different phone model has different characteristics for battery life, you can receive an assessment that the same application reduces battery life by 10% or 3 hours. The evaluation shown can occur as part of an application market on the device or as a user interface dialog, before, during or after installing the application. On the other hand, after the user installs multiple applications, it may be desirable for the user to understand which applications contributed most to the use of the network or to the longest battery life based on the current behavior of the applications on the device. In one embodiment, the device collects behavioral data for the battery and an application's network usage and allows the user to view the actual behavioral data from an interface on the device. For example, the interface allows a user to view a particular application’s network and battery usage for a specific application and network usage, as well as view the main network and battery using applications, in order to identify which applications are contributing to overload the network or shorten the battery life. In one embodiment, the mobile communication device 101 reports the behavioral data of the applications installed on the device to the server 151 and allows the user to view the actual behavioral data through a web interface generated by the server. A person skilled in the art will appreciate that other features of mobile applications can also be monitored and shown to users. Because a single application can cause significant problems in terms of battery life, network usage, or other limited resources, may be desirable to notify the user when an application is behaving in an undesirable manner. In one embodiment, the mobile communication device 101 monitors the use of the battery and network of applications installed on the device and notifies the user of the device when an application exceeds the desired limits. For example, the user can set limits on the number of data applications they can transmit and receive before they are notified. In another example, a user is notified when the device determines that an application will negatively affect the user's battery life or phone bill. If a user normally uses a phone for 20 hours before turning it on and an app on the device reduces the estimated battery life to 20 hours, the user is likely to run out of battery. It can then be important to alert the user that there is an action he can take to avoid running out of battery, that is, uninstalling or disabling the battery-consuming application. In one embodiment, to prevent applications on a user's device from exceeding the user's data plans, device 101 or server 151 provides for the use of future data from a device and gathers information about the device's data plan. In order to gather information about a device data plan, device 101 or server 151 connects to a network operator's servers to determine data plan information, such as the allocation of data per billing cycle, which is your billing cycle, and the amount of data that has been used during the current billing cycle. Communications with network operator's servers can occur in several ways, such as via an HTTP API or SMS messages. If the software on a device uses SMS messages to retrieve a user's data plan information, the software can automatically consume the reply message sent by the network operator's servers to prevent communication from appearing in the inbox. of user. To predict future data usage, server 151 can analyze typical data usage for applications installed on a device and actual data usage on that device. If an application is installed recently, typical data usage can be used, whereas for an application that has been on the device for months, the use of real data can be used. If applications on device 101 use data from the network at a rate that would exceed the device's data plan allocation by the end of the billing cycle, the software on the device displays an alert indicating likely additional charges. The alert can also display the applications that most contributed to the use of data and inform the user of the need to uninstall or reconfigure the applications. Device 101 can report the alert to server 151, which can also send a notification (for example, via e-mail), indicating the potential for data overload. The software on device 101 or server 151 may provide an indication of the current expected data usage in relation to the allocation of the data device so that a user can adjust its usage according to the standards. For example, if a user is concerned about exceeding his data plan, he can check the current forecast for data usage before participating in a video conference. Because applications installed on a device can have a significant impact on device risk exposure, it may be desirable for a user or administrator to establish policies so that applications are desirable to be installed on a device or group of devices. The following discussion is about how the protection policy can be implemented on one or more mobile communication devices. In one embodiment, the policy includes black and white lists. The blacklist is a set of applications or evaluation criteria that are explicitly denied from running on a mobile communication device, while a white list is a set of applications or evaluation criteria that are explicitly allowed to run on a mobile device. mobile communication. For example, a policy may allow only applications on a white list or only applications that are not on the black list. In one embodiment, entries from explicit applications have higher priority than entries from evaluation criteria. For example, a policy may specify certain capabilities (for example, sending the location of a device to the internet), which are blacklisted, but specify certain applications which are whitelisted. In this case, all applications that send the location to the internet can be blocked unless they are explicitly on the white list because explicit applications on the white list are of higher priority than the blacklist evaluation criteria. A person skilled in the art will appreciate that a variety of intervention schemes can be implemented without departing from the scope of the present invention. Users can have individual preferences for the type of application they want on their mobile devices. Some users, for example, may be sensitive to privacy issues, while on other issues they may want to optimize battery life. In order to allow users to use application evaluations to gain greater knowledge about the applications they use or are considering the possibility of using, one modality of this disclosure is directed to software on a mobile communication device that allows the user to define policies with Based on evaluation criteria for applications, the software blocks applications that exceed an undesirable threshold. When a user tries to install an application, the software requests an evaluation on the server application 151 and receives the evaluation from the server. For example, if the user tries to install an application that has the ability to send location information to the internet, but has a policy not to allow any applications that can send its location to the internet, then the software on the mobile device will block the installation. In another example, a user can set the security, privacy and battery life limits policy individually on a relative scale (for example, from 0 to 10). When the user installs an application, the software on the device retrieves an evaluation for the application and compares the privacy, security and battery rating of the application with the limits and alerts the user if the application exceeds the configured policy. Instead of blocking the installation of an application, which is undesirable, a user may simply want to be warned. In one mode, the user can ignore the alert and choose to accept the application anyway. In one embodiment, the device features a user interface, indicating that an application is undesirable for the user. For example, a mobile device may have an indication that the application being viewed to be downloaded in an application market that meets the criteria for user convenience. In another example, software on a device can allow a user to see all applications that do not meet the desired criteria. This interface can be useful if a user changes their criteria and wants to see applications that are now undesirable with the new criteria. IT administrators, parents, network operators or others responsible for multiple mobile communication devices may want to set the policy on multiple mobile communication devices without physical access to all devices. In one embodiment, server 151 allows a user or administrator to establish policies for a device or group of devices. When a 101 device attempts to install an application, the device sends a request to server 151 for an evaluation of the application. Based on the policy configured on server 151, the assessment contains an indication that the application is permitted or prohibited and may also contain policy criteria that justify why an unallowed application was assessed in this way. In one example, server policy 151 is configurable through a web interface. In one embodiment, server 151 allows the policy to be configured by evaluation criteria, as well as on the basis of the application. For example, an administrator can use server 151 to block all applications that are in a certain category, such as social networking applications, or all applications that access certain capabilities, such as the ability to transmit files or other sensitive data from a device. In one example, an administrator may only want to allow specific applications by creating a white list, blocking all applications that are not on the white list. In another example, an administrator can allow all applications in addition to those private applications that are blacklisted, because they are known to be undesirable. Since the set of applications allowed or denied under a policy can be pre-calculated, one embodiment of the present description is directed to server 151 to generate a set of policy definitions and transmit the policy definitions to one or more mobile communication devices 101 For example, if a device group has a policy to only allow applications that are on a white list, server 151 can transmit a list of identifying information for applications that are on the white list to a mobile device. so that the device does not need to contact the server for evaluations each time it finds an application. When the configuration policy uses abstract concepts such as categorization and application capabilities, it may be desirable for a user or administrator to see that applications would be allowed / denied or whether a particular application would be allowed / denied if configuration changes were made. In one embodiment, the configuration policy on the user interface on the mobile communication device 101 or server 151 includes an interface for viewing applications that can be blocked or allowed, as part of a configuration change. If the configuration change interface is displayed on the mobile communications device 101, the device can send data requests from server 151 to fill the interface. It may be desirable to show all applications allowed or blocked after the configuration change takes effect or just the difference in applications allowed or blocked between the current configuration and the new configuration. Since the number of applications affected by a configuration change can be very large, the interface can display summary information and allow a user to search for a particular application to determine whether the configuration change affects that application and whether the change in the configuration would result in the application being allowed or blocked. In one mode, the interface displays the effect of a configuration change and indicates whether all interesting applications can be blocked. For example, an interesting application can be determined based on general distribution data determined by server 151 or the prevalence of the application in the device group to be administered. In one mode, the interface resulting from the change shows only the changes that affect applications that are currently installed on at least one device in the group being managed. To prevent a policy system from interfering with the acceptable use of mobile communication devices, one embodiment of the present description is directed to the server 151 to maintain acceptable application sets and to allow a user or IT administrator to easily add the sets of an application. white list, the white list automatically includes changes to acceptable application pools. For example, a 151 server can maintain a list of applications that are generally popular or a list of popular applications by application category. In a policy configuration interface, the server can present a way to include all popular applications or just popular applications in specific categories (for example, games, social networks) in the policy's white list. In one embodiment, such dynamic political lists have a higher priority than the black and white list evaluation criteria entries, but have a lower priority than the explicit application entries. In another example, a server 151 can maintain a list of applications with high confidence. In a policy configuration interface, the server can provide a way to include all high-trust applications in the policy's white list. Whenever the high confidence list is updated, applications with high confidence are effectively considered on the white list when making political assessments. Since the mobile device deployment may have a device management server or service in place, it may be desirable for server 151 to provide data to a device management server that actually runs the policy. In one embodiment, server 151 joins with a device management server to configure the application policy on the device management server. For example, the device management server can support black and white lists of configurable applications. If a user defines configuration on server 151 to allow only applications that are on a white list or that meet certain evaluation criteria, server 151 generates the list of applications that will be on the white list and passes the list of applications to the device management server in a format and on a protocol that the device management server supports. Likewise, if a user sets up a blacklist on server 151, the server generates the list of applications that are blacklisted and configures the device management server to generate the blacklist. In one embodiment, the server is capable of configuring multiple device management servers. For example, if an organization supports multiple mobile device operating systems and uses different mobile device management servers, an administrator can set up a multiplatform policy on server 151 (for example, blocking all file sharing applications). Server 151 can then identify all applications on various platforms whose ratings match the policy and configure the appropriate application policies on device management servers. As each device management server can support only a subset of mobile device platforms that server 151 supports. Server 151 only transmits policy information to a device management server that corresponds to data objects that operate on operating systems that are supported by the device management server. For example, if a device management server only supports Blackberry devices, server 151 can only configure the device management server's black list and / or white list with information about Blackberry applications. In one embodiment, policy compliance verification can be performed by any server 151 or mobile communication device 101. For example, if the server performs compliance verification, any compliance settings are stored on server 151 so that any configuration performed on mobile communication devices 101 results in the configuration being transmitted to the server. When the device requests an evaluation for an application from server 151, the server includes in the evaluation an indication of whether the application is permitted or prohibited by the policy. In another example, if the mobile communication device 101 performs the compliance check, any compliance settings are stored on the mobile communication device 101, so that any configuration performed on the server 151 results in the configuration being transmitted to the device. When the device receives an evaluation from an application, it compares the evaluation with the policy setting to determine whether the application is allowed. In one embodiment, policy management is integrated with an anti-malware system attached to the server so that application signatures and ratings provided by server 151 enable device 101 to block data objects that violate the policy. For example, when a device 101 asks for a server evaluation 151, the server evaluation indicates that an application is undesirable if the application is considered malicious or if it violates the policy. In both cases, the evaluation produced may indicate more information about why the application was considered to be malicious or to violate the policy. In another example, server 151 can preventively transmit signatures for policy-violating or malicious applications to mobile communication device 101 so that the device can recognize whether a data object is desirable or undesirable without having to contact server 151. If a device 101 has installed an application that violates a protection policy in place on each device or server 151 or the rating for an application has been updated to cause it to violate the protection policy, it may be desirable for remedial actions to be taken. taken by the device or other systems. In one embodiment, if a device has an application installed that violates the protection policy for that device, the server or software on the device may enact remedial actions that may occur. Depending on whether compliance with the policy is determined on device 151 or server 101, or on each device or server you can determine what remedial actions should be taken. For example, if a user installs an application and the evaluation received from server 151 indicates that the application is acceptable, but at some point in the future, the server determines that the application is unacceptable, server 151 transmits an updated evaluation of the device, including correction actions for the device to take. In another example, if a user installs an application on a device and the device receives a rating from the server 151, indicating that the application, but the software on the device, gathers behavioral data that shows that the application violates the policy (e.g. the application tries to acquire the user's location), the device can perform pre-configured corrective actions, such as removing the application. The device can also transmit this behavioral data to server 151 and indicate the policy violation. A person skilled in the art will appreciate that using behavioral data to enforce policy can protect the mobile communication device from a variety of situations, such as when a vulnerability in an application is exploited, when an application only behaves undesirably in a subset of devices (for example, an attack directed at employees of a certain company), or when an application only behaves undesirably after a period of time (that is, a time bomb). When a device is detected for violating the policy, a variety of remedial actions are possible, for example, all applications that violate can have their processes terminated, can be uninstalled or isolated from certain systems to access functionality (for example, internet , private data), or may be prevented from accessing certain networks (for example, only Wi-Fi access is permitted and not the cellular network). It may also be desirable to isolate the entire device from accessing sensitive resources, such as a corporate email or a VPN server while out of compliance to prevent information leakage. Other remedial actions are included in US Provisional Patent Application No. 12 / 255,614, filed on October 21, 2008 and incorporated here in its entirety. If an administrator is able to define the policy using server 151, it may also be desirable for a user to use server 151 to see the compliance status of the devices where the policy is applied. In one embodiment, server 151 determines whether a group of mobile communication devices complies with the application policy and which applications are installed on the devices in the group. For example, if mobile communication devices report the applications they have installed and server 151 contains the policy setting, the server can determine which devices currently violate the policy set by an administrator. To allow an administrator to see the compliance status, server 151 can generate a web interface listing or not all devices are in compliance and if all devices are out of agreement, how many are there. The interface can also allow the administrator to see that certain devices are out of compliance, see which applications make the devices out of compliance, and initiate remediation actions (for example, removing an application) remotely. In one embodiment, server 151 has one-click correction action by which an administrator can click on a single button to remotely initiate correction actions on all devices in the group that the administrator is controlling. For example, if an administrator managed 100 devices and 10 of these devices had applications that violated the policy, the administrator can click on the one-click correction button on the web interface to have the server send referrals to each of the 10 devices that did not complied with the policy to remove unwanted applications, without any user intervention being necessary. Once the remediation actions are finished, each device 101 can send the indication to server 151 indicating whether or not it was successful. During the correction process, server 151 can generate an interface through which the administrator can view the status of the correction. Other methods for the server to expose compliance status include server 151 exposing an API (for example, for use by a security management console) and server 151 generates downloadable reports. In some cases, it may be desirable for a user or administrator to receive notification, if they install an application that is considered undesirable, or if they install an application that was recently considered undesirable based on an updated assessment. In one embodiment, the mobile communication device 101 transmits information about the installation of a data object to server 151. If server 151 determines that the data object is undesirable based on universal undesirable characteristics or characteristics for the user , the server broadcasts a notification. For example, if a user installs an application that is rated as desirable, but at some point in the future, the application begins to exhibit malicious behavior or other undesirable behaviors, such as high battery consumption, the server may change its rating to indicate that the application is undesirable. The notification can be done in several ways, such as email, SMS message, or user interface dialog displayed on a web page, on a PC or on a mobile communication device. For an IT administrator to manage a plurality of mobile communication devices, policies can be defined for a specific application, even if the application is available on multiple platforms and has multiple versions. For example, it is not uncommon for an IT administrator to manage a variety of mobile communication devices with different operating systems. The variety of mobile communication devices can include iPhones, BlackBerry devices and Android devices. However, if a given application is known to be undesirable on all three device operating systems, such as a social networking application that can disclose private information, the IT administrator can block installation of all versions of the application, regardless the platform. However, if an application can share confidential information on one platform, but not on others, the IT administrator can only allow the application to be installed on platforms that do not share confidential information. As discussed above, it may also be desirable for an IT administrator to make policy decisions about all versions of an application at once instead of maintaining a policy that treats multiple versions of an application as separate decisions. Because there are some applications that are updated very often, this would quickly become a very difficult task to manage the application policy if an administrator cannot treat all versions of a specific application, as a policy decision. As an application can change dramatically between updates, it is desirable for an administrator to be aware that any changes can affect the administrator's decision whether or not to allow the application. One embodiment of this description is directed to server 151 to send a notification, in the case of an application that is present on a blacklist or white list that significantly changes its capabilities or characteristics. For example, if a new version of an application that is on the administrator’s white list has the ability to transmit files from the user’s device, while previous versions didn’t, then server 151 can send an email message or text to the administrator indicating the change. The policy management interface on server 151 can also display a list of applications that may need attention based on the changed characteristics. In order to simplify the configuration, one embodiment of the present description is directed to the software on the mobile communication device 101 or server 151 can provide standard criteria that are responsible for common use cases. For example, a user may be able to select that they are concerned with battery life and privacy of the location, but they are not concerned with network usage and the privacy of the phone number. When selecting these concerns, the device or server automatically sets policies and limits for undesirable applications. In one embodiment, server 151 or device 101 contains pre-established policies for compliance with the rules. For example, financial or healthcare workers may be required to have a specific set of application policies in place to prevent the disclosure of confidential information. As the set of applications allowed or denied under these rules can change over time, server 151 can automatically update the specific policy decisions that enforce the regulation without the need for an administrator to specifically configure them. To allow for inspection and auditing, server 151 can generate a list of policy decisions it is employing to comply with regulations and can notify an administrator when policy decisions change. If an administrator rejects certain policy decisions, he can override the default policy defined by server 151. As it may be desirable to simplify the policy configuration process, the modality of this disclosure is directed to the server 151 or mobile communication device 101, presenting a series of questions to a user or administrator, the answers to the questions are used to define the policies automatically. For example, when a user is first configuring the application policy software on their device, the software may ask if the user has an unlimited data plan, if the user wants to allow services to access the device's location, and if the user wants to block all the tools that can be used to spy on the device. Based on the answers to the questions, the device can define the policy of blocking high data usage applications, alerting the user in the case of a high data usage application, blocking applications that send a user's location to the internet, and spy apps are blocked. After this initial configuration, the user may wish to adjust the policy decisions, while other users may accept the configured policy automatically. As abusive applications can have a substantially negative impact on wireless networks, a modality of this disclosure is aimed at providing "preventive alert" information about potentially abusive applications. In one embodiment, server 151 can use this information as behavioral data and other data at its disposal, in order to produce an assessment of whether an application has access network characteristics that can be harmful to mobile networks. For example, an application that receives or transmits a large amount of data, sends a large number of SMS messages, or opens a large number of persistent calls can adversely affect the performance of a mobile network. After evaluating an application to determine whether it is potentially harmful to a mobile network, server 151 stores the evaluation. In one embodiment, server 151 notifies an administrator when a potentially harmful application is identified. For example, communication can be in the form of an email or text message that contains information about the potentially harmful data object. In one embodiment, server 151 generates a web interface that shows applications that have been assessed as potentially harmful to a mobile network. The web interface can be designed to support a review workflow so that potentially harmful applications can be analyzed by an administrator. After reviewing the application, the administrator may want to take remedial action in some cases, while in other cases, the administrator may not want to take any action. If an administrator chooses not to take any action, the application will not be considered potentially dangerous unless its behavior changes significantly, causing the server 151 to identify the application and take it for further revision. In order to prevent multiple data objects from a given application from being repeatedly identified as potentially harmful, if the administrator chooses to ignore the application, all versions of that application will also be ignored, as server 151 can determine whether multiple data objects belong to the same application or another group. If an administrator is aware that an application is potentially harmful, he can take preventive measures to avoid serious problems if the application is installed on more devices. In one embodiment, server 151 generates a web interface allowing an administrator to take remedial actions for an application that is considered harmful. A variety of corrective actions are possible. For example, server 151 on the network to communicate with the publisher of the application and work through a resolution for harmful behavior. Server 151 can extract the publisher's email address from market data and allow a network administrator to type a message via the web server interface that server 151 sends to the publisher. When server 151 sends an email, the reply address in the outgoing email is specially created so that when the editor responds, the server associates the reply with the initial message and publishes the reply on the web interface for the administrator to view and eventually continue the conversation. In one embodiment, server 151 generates a web interface that allows the administrator to configure security software installed on a group of devices. For example, the administrator can configure security software to prevent the potentially harmful application or isolate the application, so that it cannot communicate over a cellular network. If the administrator wishes to block the application, server 151 can use a variety of mechanisms, such as those described here, to block the installation of applications on devices or to remove the application if it has already been installed on the device. Because server 151 can identify multiple data objects that correspond to the same application, if an administrator blocks an application, all data objects for the application are considered to be blocked. If an application that was potentially harmful is fixed in a later version, server 151 may allow the administrator to specify a range of versions of the application to block. Since it may be desirable to avoid downloading unwanted applications, one embodiment of the present description is directed to servers 151 that generate network infrastructure configuration data. For example, server 151 can store a set of blacklisted data objects and be able to generate a set of intrusion prevention systems or HTTP proxy rules. The rules can try to match the identifiers used by mobile devices to download data objects from an application market or to identify the content of unwanted data objects as they are transmitted over a network. In one embodiment, server 151 generates network infrastructure configuration data to block network traffic associated with unwanted applications. Server 151 generates network infrastructure configuration rules that prevent network communication associated with unwanted applications by server 151 using data to characterize the network communications associated with the application and generate rules that block similar network traffic (for example, traffic to the same IP address, subnet or server name). In order to prevent legitimate traffic from being blocked, server 151 can analyze how a single network traffic from the undesirable application is relative to the desirable applications and only blocks network traffic that is particular to the undesirable application. For example, if an application communicates with two servers, one being a server that is a well-known one used by a variety of legitimate applications and another that is an unknown server just communicating with the present application, server 151 would handle the server unknown as private to an undesirable application. After determining to block the appropriate network traffic, server 151 generates firewall or other network configuration rules to block network traffic from unwanted applications. For example, if a malicious application is using a specific server to infiltrate sensitive data from people's phones, behavioral data for the application can indicate the IP address, port and protocol used to transmit sensitive data. When an administrator wants to block the malicious application's ability to steal data, it can see the list of servers that the application communicates with and how many other applications known to the server 151 normally communicate with that server. The administrator has the ability to choose which servers to block. After selecting the servers to block, server 151 generates rules that block network traffic. In one embodiment, server 151 makes configuration data, such as Snort® intrusion detection and prevention system rules, available for download via a web interface. In one embodiment, server 151 is configured to connect directly with an infrastructure network management system to deploy configuration data. As an administrator may be primarily concerned with a specific network, one mode of this disclosure is directed to server 151 that produces both aggregated and operator-specific ratings to identify potentially harmful applications and generate a user interface that contains both. For example, if an application experiences problems only when running on a device connected to a particular type of mobile network, the aggregated behavioral data may be within normal limits, however, the behavioral data for a particular network can be harmful. A network administrator may want to see the behavior of an application of the type of network it is administering. Since individual mobile networks can treat different behaviors as abusive, a user on server 151 can configure the criteria for analyzing an application harmful to the network. In the description above, the numerous specific details that are established to provide a deep understanding of the disclosure. It will be evident, however, for a person skilled in the art, that the dissemination can be practiced without these specific details. In other cases, well-known structures and devices are shown in the form of a block diagram to facilitate explanation. The description of preferred embodiments is not intended to limit the scope of the appended claims. In addition, in the methods described here, several steps are described illustrating some of the functions of the disclosure. A person skilled in the art will appreciate that these steps are merely exemplary and are not intended to be limiting in any way. Other steps and functions can be contemplated without departing from this disclosure.
权利要求:
Claims (38) [0001] 1. CHARACTERIZED method for understanding: on a server computer, receiving data from a mobile communication device, the data received being associated with an application (201, 203) and the data received being received after a determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to run on the mobile communication device; on the server computer, analyze the data received by a suitable component accessible by the server computer, the appropriate component containing only assessments that allow applications (903) to run on the mobile communication device; if the analysis of the data received by the appropriate component results in an assessment that the application is allowed, then, on the server computer, transmit the assessment by the appropriate component to the mobile communication device (1209), allowing the mobile communication device to access the evaluated application; if, on the server computer, analysis of the data received by the appropriate component does not result in an assessment that the application is allowed, then the server computer analyzes the data received by an inappropriate component residing on the server computer, the inappropriate component contains only evaluations that do not allow applications (905) to run on the mobile communication device; and if, on the server computer, the analysis of the data received by the inappropriate component results in an evaluation that the application is not allowed, then the server computer transmits the evaluation by the inappropriate component to the mobile communication device (1209) preventing the mobile communication device access the application. [0002] 2. Method according to claim 1, CHARACTERIZED by the fact that the received data associated with the application is data from the application (201, 203). [0003] 3. Method according to claim 1, CHARACTERIZED by the fact that the data received associated with the application is behavioral data for the application (201, 203). [0004] 4. Method according to claim 1, CHARACTERIZED by the fact that the received data associated with the application is metadata for the application (201, 203). [0005] 5. Method according to claim 1, CHARACTERIZED by the fact that the data received associated with the application includes at least part of the application (201, 203). [0006] 6. Method according to claim 1, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: on the mobile communication device, analyzing the data associated with the application by a suitable component residing on the mobile communication device to provide an evaluation of the application (903), in which the analysis by the appropriate component on the mobile device Mobile communication does not result in an assessment that the application is allowed. [0007] 7. Method according to claim 1, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: on the mobile communication device, analyze the data associated with the application by an inappropriate component residing on the mobile communication device to provide an evaluation of the application (905), in which the analysis by the inappropriate component on the mobile device Mobile communication does not result in an assessment that the application is not allowed. [0008] 8. Method according to claim 1, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: on the mobile communication device, analyzing the data associated with the application by a suitable component residing on the mobile communication device to provide an evaluation of the application (903), in which the analysis of the data associated with the application by the adequate component in the mobile communication device does not result in an assessment that the application is allowed; and then analyze the data associated with the application by an inappropriate component residing on the mobile communication device to provide an evaluation of the data application (905), where the analysis of the data associated with the application by the inappropriate component on the mobile communication device does not result in the assessment that the application is not allowed. [0009] 9. Method according to claim 1, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: on the mobile communication device, analyzing the data associated with the application by an inappropriate component residing on the mobile communication device to provide an evaluation of the application (905), in which the analysis of the data associated with the application by the inappropriate component in the mobile communication device does not result in an assessment that the application is not allowed; and then analyze the data by a suitable component residing on the mobile communication device to provide an evaluation of the application (903), where analysis of the data associated with the application by the appropriate component on the mobile communication device does not result in an evaluation that the application is allowed. [0010] 10. Method according to claim 1, CHARACTERIZED by the fact that it additionally understands: if the analysis of the data associated with the application by the appropriate component accessible by the server computer does not result in a positive assessment that the application is allowed, and if the analysis of the data associated with the application by the inappropriate component accessible by the server computer does not result in the assessment that the application is not allowed, then analyze the application by the server to provide an assessment of the application (903, 905); and, store the evaluation of the application in a data store accessible to the server (111). [0011] 11. Method according to claim 10, CHARACTERIZED by the fact that analyzing the application, by the server, to provide an evaluation comprises analyzing the data associated with the application by a decision component accessible by the server (907). [0012] 12. Method according to claim 1, CHARACTERIZED for additionally comprising: requesting, by the server, additional data pertaining to the application (211); and, analyze the additional data to determine an evaluation corresponding to the application (219). [0013] 13. Method according to claim 1, CHARACTERIZED by the fact that the transmission of the evaluation by the inappropriate component includes transmission instructions that the mobile communication device (1209) is not allowed to access the evaluated application (911). [0014] 14. Method according to claim 1, CHARACTERIZED by the fact that the evaluation by the inappropriate component includes a notification for the mobile communication device (419). [0015] 15. Method according to claim 14, CHARACTERIZED by the fact that the notification is a warning (419). [0016] 16. Method according to claim 14, CHARACTERIZED by the fact that the notification is an instruction to uninstall the application (419). [0017] 17. Method according to claim 1, CHARACTERIZED by the fact that the transmission of the evaluation by the appropriate component includes transmission instructions that the mobile communication device is allowed to access the evaluated application (911). [0018] 18. Method according to claim 10, CHARACTERIZED by the fact that the analysis of the application by the server includes analysis of the data received to provide an evaluation of the application (903, 905). [0019] 19. Method according to claim 1, CHARACTERIZED by the fact that it additionally comprises: on the server, storing a plurality of hashes and a corresponding plurality of application evaluations (1203, 1205, 1208, 1209), in which: the data received include a hash corresponding to the application (1206), analyzing the data received by the appropriate component or the inappropriate component includes determining whether the received hash corresponds to a stored hash (1208), and whether the received hash corresponds to a stored hash, the evaluation by the component appropriate or inappropriate component will include the stored evaluation of the plurality of stored evaluations corresponding to the corresponding stored hash (1209). [0020] 20. CHARACTERIZED method for understanding: determining, by a mobile communication device, that a local store on the mobile communication device does not include an assessment of whether an application (1203, 1205) is allowed to run on the mobile communication device; send, via the mobile communication device to a server computer, data associated with the application (201, 203); receive, by the server's mobile communication device, an evaluation that allows the application to run on the mobile communication device if an analysis of the data received by a suitable component accessible by the server computer provides an evaluation that allows the mobile communication device to execute the application (903), the appropriate component containing only evaluations that allow the execution of applications on the mobile communication device; and receive, by the server's mobile communication device, an evaluation that does not allow the application to run on the mobile communication device if an analysis of the data received by an inappropriate component accessible by the server computer provides an evaluation that does not allow the device to mobile communication run the application (903), the inappropriate component containing only assessments that do not allow applications to run on the mobile communication device. [0021] 21. Method according to claim 20, CHARACTERIZED by the fact that the data received associated with the application is data from the application (201, 203). [0022] 22. Method according to claim 20, CHARACTERIZED by the fact that the data received associated with the application is behavioral data for the application (201, 203). [0023] 23. Method according to claim 20, CHARACTERIZED by the fact that the received data associated with the application is metadata for the application (201, 203). [0024] 24. Method according to claim 20, CHARACTERIZED by the fact that the data received associated with the application includes at least part of the application (201, 203). [0025] 25. Method according to claim 20, CHARACTERIZED by the fact that the determination by the mobile communication device that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: analyzing the data associated with the application by a suitable component residing on the mobile communication device to provide an evaluation of the application (903), where analysis by the appropriate component does not result in an evaluation that the application it's allowed. [0026] 26. Method according to claim 20, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: analyzing the data associated with the application by an inappropriate component residing on the mobile communication device to provide an evaluation of the application (905), where the analysis by the inappropriate component does not result in an evaluation that the application not allowed. [0027] 27. Method according to claim 20, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment of whether the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: analyzing the data associated with the application by a suitable component residing on the mobile communication device to provide an evaluation of the application (903), in which the analysis of the data associated with the application by the appropriate component does not result in a assessment that the application is allowed; and then analyze the data associated with the application by an inappropriate component residing on the mobile device to provide an evaluation of the application (905), where analysis of the application by the inappropriate component does not result in an evaluation that the application is not allowed. [0028] 28. Method according to claim 20, CHARACTERIZED by the fact that the determination, by the mobile communication device, that a local store on the mobile communication device does not include an assessment if the application (1203, 1205) is allowed to be executed on the mobile communication device comprises: analyzing the data associated with the application by an inappropriate component residing on the mobile communication device to provide an evaluation of the application (905), in which the analysis of the data associated with the application by the inappropriate component does not result in a assessment that the application is not allowed; and then analyze the data by a suitable component residing on the mobile communication device to provide an assessment of the application (903), where analysis of the data associated with the application by the appropriate component does not result in an assessment that the application is allowed. [0029] 29. Method according to claim 20, CHARACTERIZED by additionally understanding: if the analysis of the data associated with the application by the appropriate component does not result in a positive assessment that the application is allowed, and if the analysis of the data associated with the application by the component inappropriate does not result in the assessment that the application is not allowed, then analyze the application by the server to provide an evaluation of the application (903, 905); and, store the evaluation of the application in a data store accessible by the server (111). [0030] 30. Method according to claim 29, CHARACTERIZED by the fact that analyzing the application, by the server, to provide an evaluation comprises analyzing the data associated with the application by a decision component accessible by the server (907). [0031] 31. Method according to claim 29, CHARACTERIZED by additionally comprising requesting, by the server, additional data pertaining to the application (211); and, analyze the additional data to determine an evaluation corresponding to the application (219). [0032] 32. Method according to claim 20, CHARACTERIZED by the fact that receiving the assessment that does not allow the application to run on the mobile communication device includes receiving instructions that the mobile communication device (1209) is not allowed to access the evaluated application (911). [0033] 33. Method according to claim 20, CHARACTERIZED by the fact that the evaluation that does not allow the application to run on the mobile communication device includes a notification to the mobile communication device (419). [0034] 34. Method according to claim 33, CHARACTERIZED by the fact that the notification is a warning (419). [0035] 35. Method according to claim 33, CHARACTERIZED by the fact that the notification is an instruction to uninstall the application (419). [0036] 36. Method according to claim 20, CHARACTERIZED by the fact that receiving the assessment that allows the application to run on the mobile communication device includes receiving instructions that the mobile communication device is allowed to access the evaluated application (911 ). [0037] 37. Method according to claim 29, CHARACTERIZED by the fact that the analysis of the application by the server includes analysis of the data received to provide an evaluation of the application (903, 905). [0038] 38. Method according to claim 20, CHARACTERIZED by additionally comprising: on the server, storing a plurality of hashes and a corresponding plurality of application evaluations (1203, 1205, 1208, 1209), in which: the received data includes a hash corresponding to the application (1206), analyze the data received by the appropriate component or the inappropriate component, including determining whether the received hash corresponds to a stored hash (1208) and whether the received hash corresponds to a stored hash, the evaluation by the appropriate component or by inappropriate component includes the stored evaluation from the plurality of stored evaluations that correspond to the corresponding stored hash (1209).
类似技术:
公开号 | 公开日 | 专利标题 US9860263B2|2018-01-02|System and method for assessing data objects on mobile communications devices US9344431B2|2016-05-17|System and method for assessing an application based on data from multiple devices BR112013004345B1|2020-12-08|system and method to avoid malware attached to a server US9294500B2|2016-03-22|System and method for creating and applying categorization-based policy to secure a mobile communications device from access to certain data objects US9740852B2|2017-08-22|System and method for assessing an application to be installed on a mobile communications device US8984628B2|2015-03-17|System and method for adverse mobile application identification US9563749B2|2017-02-07|Comparing applications and assessing differences US9235704B2|2016-01-12|System and method for a scanning API
同族专利:
公开号 | 公开日 JP6019484B2|2016-11-02| CN103180862A|2013-06-26| EP2609538A4|2014-01-22| KR101558715B1|2015-10-07| RU2571594C2|2015-12-20| EP2609538B1|2016-10-19| KR20130129184A|2013-11-27| WO2012027588A1|2012-03-01| RU2013113053A|2014-09-27| JP2013540303A|2013-10-31| BR112013004345A2|2016-05-31| EP2609538A1|2013-07-03| CN103180862B|2016-03-02|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US7162649B1|2000-06-30|2007-01-09|Internet Security Systems, Inc.|Method and apparatus for network assessment and authentication| US7099663B2|2001-05-31|2006-08-29|Qualcomm Inc.|Safe application distribution and execution in a wireless environment| US7171690B2|2001-08-01|2007-01-30|Mcafee, Inc.|Wireless malware scanning back-end system and method| US20040153644A1|2003-02-05|2004-08-05|Mccorkendale Bruce|Preventing execution of potentially malicious software| WO2007117635A2|2006-04-06|2007-10-18|Smobile Systems Inc.|Malware modeling detection system and method for mobile platforms| US8881283B2|2006-10-06|2014-11-04|Juniper Networks, Inc.|System and method of malware sample collection on mobile networks| US8214977B2|2008-05-21|2012-07-10|Symantec Corporation|Centralized scanner database with optimal definition distribution using network queries| RU2368008C1|2008-08-11|2009-09-20|Владимир Николаевич Мунякин|Information system| US8931086B2|2008-09-26|2015-01-06|Symantec Corporation|Method and apparatus for reducing false positive detection of malware| US8108933B2|2008-10-21|2012-01-31|Lookout, Inc.|System and method for attack and malware prevention| US8087067B2|2008-10-21|2011-12-27|Lookout, Inc.|Secure mobile platform system|US8347386B2|2008-10-21|2013-01-01|Lookout, Inc.|System and method for server-coupled malware prevention| US9367680B2|2008-10-21|2016-06-14|Lookout, Inc.|System and method for mobile communication device application advisement| US8051480B2|2008-10-21|2011-11-01|Lookout, Inc.|System and method for monitoring and analyzing multiple interfaces and multiple protocols| US8984628B2|2008-10-21|2015-03-17|Lookout, Inc.|System and method for adverse mobile application identification| US8108933B2|2008-10-21|2012-01-31|Lookout, Inc.|System and method for attack and malware prevention| US8087067B2|2008-10-21|2011-12-27|Lookout, Inc.|Secure mobile platform system| US9043919B2|2008-10-21|2015-05-26|Lookout, Inc.|Crawling multiple markets and correlating| US9781148B2|2008-10-21|2017-10-03|Lookout, Inc.|Methods and systems for sharing risk responses between collections of mobile communications devices| US9235704B2|2008-10-21|2016-01-12|Lookout, Inc.|System and method for a scanning API| US8060936B2|2008-10-21|2011-11-15|Lookout, Inc.|Security status and information display system| US8533844B2|2008-10-21|2013-09-10|Lookout, Inc.|System and method for security data collection and analysis| US9042876B2|2009-02-17|2015-05-26|Lookout, Inc.|System and method for uploading location information based on device movement| US8467768B2|2009-02-17|2013-06-18|Lookout, Inc.|System and method for remotely securing or recovering a mobile device| US8538815B2|2009-02-17|2013-09-17|Lookout, Inc.|System and method for mobile device replacement| US9955352B2|2009-02-17|2018-04-24|Lookout, Inc.|Methods and systems for addressing mobile communications devices that are lost or stolen but not yet reported as such| US8855601B2|2009-02-17|2014-10-07|Lookout, Inc.|System and method for remotely-initiated audio communication| US8788881B2|2011-08-17|2014-07-22|Lookout, Inc.|System and method for mobile device push communications| US9413893B2|2012-04-05|2016-08-09|Assurant, Inc.|System, method, apparatus, and computer program product for providing mobile device support services| US9483344B2|2012-04-05|2016-11-01|Assurant, Inc.|System, method, apparatus, and computer program product for providing mobile device support services| CA2982463C|2015-05-01|2019-03-05|Lookout, Inc.|Determining source of side-loaded software| US9407443B2|2012-06-05|2016-08-02|Lookout, Inc.|Component analysis of software applications on computing devices| US9589129B2|2012-06-05|2017-03-07|Lookout, Inc.|Determining source of side-loaded software| US20130333039A1|2012-06-07|2013-12-12|Mcafee, Inc.|Evaluating Whether to Block or Allow Installation of a Software Application| US8869274B2|2012-09-28|2014-10-21|International Business Machines Corporation|Identifying whether an application is malicious| JP6254414B2|2012-10-09|2017-12-27|キヤノン電子株式会社|Information processing apparatus, information processing system, and information processing method| WO2014057668A1|2012-10-09|2014-04-17|キヤノン電子株式会社|Information processing device and control method therefor, information processing system, as well as information processing method| US9767280B2|2012-10-09|2017-09-19|Canon Denshi Kabushiki Kaisha|Information processing apparatus, method of controlling the same, information processing system, and information processing method| JP6253333B2|2012-10-09|2017-12-27|キヤノン電子株式会社|Information processing apparatus, information processing system, and information processing method| US8655307B1|2012-10-26|2014-02-18|Lookout, Inc.|System and method for developing, updating, and using user device behavioral context models to modify user, device, and application state, settings and behavior for enhanced user security| US9208215B2|2012-12-27|2015-12-08|Lookout, Inc.|User classification based on data gathered from a computing device| US9374369B2|2012-12-28|2016-06-21|Lookout, Inc.|Multi-factor authentication and comprehensive login system for client-server networks| US8855599B2|2012-12-31|2014-10-07|Lookout, Inc.|Method and apparatus for auxiliary communications with mobile communications device| US9424409B2|2013-01-10|2016-08-23|Lookout, Inc.|Method and system for protecting privacy and enhancing security on an electronic device| GB2507357B|2013-01-21|2016-04-20|F Secure Corp|Agent based application reputation system for operating systems| US10699273B2|2013-03-14|2020-06-30|Lookout, Inc.|System and method for authorizing payment transaction based on device locations| US9852416B2|2013-03-14|2017-12-26|Lookout, Inc.|System and method for authorizing a payment transaction| US9307412B2|2013-04-24|2016-04-05|Lookout, Inc.|Method and system for evaluating security for an interactive service operation by a mobile device| WO2014204446A1|2013-06-18|2014-12-24|Empire Technology Development Llc|Remediating rogue applications| US9639693B2|2013-06-28|2017-05-02|Symantec Corporation|Techniques for detecting a security vulnerability| US9305162B2|2013-07-31|2016-04-05|Good Technology Corporation|Centralized selective application approval for mobile devices| WO2015047443A1|2013-09-27|2015-04-02|Mcafee, Inc.|Managed software remediation| CN104519469A|2013-10-08|2015-04-15|华为技术有限公司|SMScharging behavior detection method, device and terminal| US9642008B2|2013-10-25|2017-05-02|Lookout, Inc.|System and method for creating and assigning a policy for a mobile communications device based on personal data| US10122747B2|2013-12-06|2018-11-06|Lookout, Inc.|Response generation after distributed monitoring and evaluation of multiple devices| US9753796B2|2013-12-06|2017-09-05|Lookout, Inc.|Distributed monitoring, evaluation, and response for multiple devices| US9692789B2|2013-12-13|2017-06-27|Oracle International Corporation|Techniques for cloud security monitoring and threat intelligence| US9258318B2|2014-02-12|2016-02-09|Symantec Corporation|Systems and methods for informing users about applications available for download| US9197662B2|2014-02-26|2015-11-24|Symantec Corporation|Systems and methods for optimizing scans of pre-installed applications| CN104021342A|2014-05-06|2014-09-03|可牛网络技术(北京)有限公司|Method and device for processing application program| JP6042371B2|2014-05-19|2016-12-14|株式会社オプティム|Terminal data management server, terminal data management method, and program for terminal data management server| US9398036B2|2014-09-17|2016-07-19|Microsoft Technology Licensing, Llc|Chunk-based file acquisition and file reputation evaluation| CN105590056B|2014-10-22|2019-01-18|中国银联股份有限公司|Dynamic application function control method based on environment measuring| US9639715B2|2015-04-27|2017-05-02|Microsoft Technology Licensing, Llc|Protecting user identifiable information in the transfer of telemetry data| WO2016201593A1|2015-06-15|2016-12-22|Nokia Technologies Oy|Control of unwanted network traffic| RU2624552C2|2015-06-30|2017-07-04|Закрытое акционерное общество "Лаборатория Касперского"|Method of malicious files detecting, executed by means of the stack-based virtual machine| KR101673367B1|2015-07-22|2016-11-07|주식회사 엔에스에이치씨|Application security providing method in mobile device capable of alerting security threats attempt of main application using separated alerting application| CN106686599B|2015-11-05|2020-10-20|创新先进技术有限公司|Method and equipment for risk management of application information| US10073965B2|2015-12-15|2018-09-11|Nagravision S.A.|Methods and systems for validating an autonomous system that includes a dynamic-code module and a static-code module| GB201522315D0|2015-12-17|2016-02-03|Irdeto Bv|Securing webpages, webapps and applications| US10536478B2|2016-02-26|2020-01-14|Oracle International Corporation|Techniques for discovering and managing security of applications| RU2636640C2|2016-03-11|2017-11-27|Федеральное государственное казенное военное образовательное учреждение высшего образования "Академия Федеральной службы охраны Российской Федерации" |Protection method of virtual private communication networks elements from ddos-attacks| JP6862669B2|2016-03-31|2021-04-21|日本電気株式会社|Business support system, business support method, information processing device, communication terminal and their control method and control program| US10440053B2|2016-05-31|2019-10-08|Lookout, Inc.|Methods and systems for detecting and preventing network connection compromise| RU2634211C1|2016-07-06|2017-10-24|Общество с ограниченной ответственностью "Траст"|Method and system of protocols analysis of harmful programs interaction with control centers and detection of computer attacks| RU2649793C2|2016-08-03|2018-04-04|ООО "Группа АйБи"|Method and system of detecting remote connection when working on web resource pages| US10496820B2|2016-08-23|2019-12-03|Microsoft Technology Licensing, Llc|Application behavior information| RU2652451C2|2016-09-08|2018-04-26|Акционерное общество "Лаборатория Касперского"|Methods for anomalous elements detection on web pages| RU2634209C1|2016-09-19|2017-10-24|Общество с ограниченной ответственностью "Группа АйБи ТДС"|System and method of autogeneration of decision rules for intrusion detection systems with feedback| WO2018079867A1|2016-10-24|2018-05-03|주식회사 아이티스테이션|Restoration method using network restoration system in advanced persistent threat environment| KR101872605B1|2016-10-24|2018-06-28|주식회사 아이티스테이션|Network recovery system in advanced persistent threat| RU2637477C1|2016-12-29|2017-12-04|Общество с ограниченной ответственностью "Траст"|System and method for detecting phishing web pages| RU2671991C2|2016-12-29|2018-11-08|Общество с ограниченной ответственностью "Траст"|System and method for collecting information for detecting phishing| KR102262480B1|2016-12-30|2021-06-08|구글 엘엘씨|Hash-based dynamic constraint on information resources| EP3516541A1|2016-12-30|2019-07-31|Google LLC|Deploying countermeasures to hash-based dynamic restriction of content elements on information resources| US10218697B2|2017-06-09|2019-02-26|Lookout, Inc.|Use of device risk evaluation to manage access to services| US10873588B2|2017-08-01|2020-12-22|Pc Matic, Inc.|System, method, and apparatus for computer security| RU2659741C1|2017-09-29|2018-07-03|Акционерное общество "Лаборатория Касперского"|Methods of detecting the anomalous elements of web pages on basis of statistical significance| CN107944232A|2017-12-08|2018-04-20|郑州云海信息技术有限公司|A kind of design method and system of the Active Defending System Against based on white list technology| RU2680736C1|2018-01-17|2019-02-26|Общество с ограниченной ответственностью "Группа АйБи ТДС"|Malware files in network traffic detection server and method| RU2677368C1|2018-01-17|2019-01-16|Общество С Ограниченной Ответственностью "Группа Айби"|Method and system for automatic determination of fuzzy duplicates of video content| RU2676247C1|2018-01-17|2018-12-26|Общество С Ограниченной Ответственностью "Группа Айби"|Web resources clustering method and computer device| RU2681699C1|2018-02-13|2019-03-12|Общество с ограниченной ответственностью "Траст"|Method and server for searching related network resources| RU2705770C1|2018-05-29|2019-11-11|Сергей Сергеевич Кукушкин|Method for operational and technical protection of boundaries of objects and boundaries| RU2706894C1|2018-06-29|2019-11-21|Акционерное общество "Лаборатория Касперского"|System and method of analyzing content of encrypted network traffic| CN109361779A|2018-10-22|2019-02-19|江苏满运软件科技有限公司|The management method of domain name and system, node server in distributed system| RU2708508C1|2018-12-17|2019-12-09|Общество с ограниченной ответственностью "Траст"|Method and a computing device for detecting suspicious users in messaging systems| US20200226253A1|2019-01-14|2020-07-16|Mcafee, Llc|Detection of malicious polyglot files| KR102213460B1|2019-03-18|2021-02-08|주식회사 위젯누리|System and method for generating software whistlist using machine run| WO2020261438A1|2019-06-26|2020-12-30|日本電気株式会社|Execution control system, execution control method, and program| EP3809293A4|2019-06-26|2021-10-13|Rakuten Group, Inc.|Fraud deduction system, fraud deduction method, and program| CN110414241B|2019-08-05|2021-08-27|深圳市网安计算机安全检测技术有限公司|Privacy policy detection method and device, computer equipment and storage medium| CN110769008B|2019-11-05|2020-04-03|长沙豆芽文化科技有限公司|Data security protection method and device and service equipment| RU2728497C1|2019-12-05|2020-07-29|Общество с ограниченной ответственностью "Группа АйБи ТДС"|Method and system for determining belonging of software by its machine code| SG10202001963TA|2020-03-04|2021-10-28|Group Ib Global Private Ltd|System and method for brand protection based on the search results|
法律状态:
2018-03-06| B25G| Requested change of headquarter approved|Owner name: LOOKOUT, INC (US) | 2018-12-26| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]| 2020-07-28| B06A| Notification to applicant to reply to the report for non-patentability or inadequacy of the application [chapter 6.1 patent gazette]| 2020-09-29| B09A| Decision: intention to grant [chapter 9.1 patent gazette]| 2020-12-08| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 25/08/2011, OBSERVADAS AS CONDICOES LEGAIS. |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US12/868,672|2010-08-25| US12/868,669|US8347386B2|2008-10-21|2010-08-25|System and method for server-coupled malware prevention| US12/868,672|US8533844B2|2008-10-21|2010-08-25|System and method for security data collection and analysis| US12/868,676|2010-08-25| US12/868,676|US9367680B2|2008-10-21|2010-08-25|System and method for mobile communication device application advisement| US12/868,669|2010-08-25| PCT/US2011/049182|WO2012027588A1|2010-08-25|2011-08-25|System and method for server-coupled malware prevention| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|