Claims:We Claim:
1. A system (301) for providing an end user device security, the system comprising:
a processor (201); and
a memory (205) coupled to the processor (201), wherein the memory (205) comprises an operating system (207) characterized in that, the operating system (207) is provisioned with a data protection layer (209) supported by a block-chain technique, the data protection layer (209) comprising programmed instructions (211) to be executed by the processor (201), the programmed instructions (211) comprising instructions for:
configuring access policy for each of a plurality of applications capable of being installed on any computing device (303), wherein the plurality of applications are pre-stored in a repository (219) corresponding to the operating system (207), wherein each application has a hash signature comprising a hash identifier of the said application, and wherein the access policy for each application has a permissions record comprising an identification of one or more other applications, within the repository (219), accessible to the said application;
receiving a request from a first application, of the plurality of applications, to access data associated with a second application of the plurality of applications;
accessing the permissions record for the first application, wherein the permissions record comprises an identification of the second application from which a permission is needed;
verifying that the first application has permission to access the data associated with the second application based, at least in part, on the permissions record; and
granting permission to access the second application, or blocking the first application based, at least in part, on the permissions record and hash mapping of the first application and the second application.

2. The system (301) as claimed in claim 1, wherein the permissions record corresponding to each application includes a permissions authority digital signature that is digitally signed with a permissions authority signing key, wherein the system further comprises:
accessing the permissions authority digital signature in the permissions record; verifying the permissions authority digital signature in the permissions record; and
granting permission to install or block the said application, based on the permissions authority digital signature in the permissions record.

3. The system (301) as claimed in claim 2, wherein the system (301) is in synchronization with the repository (219) of the operating system (207).

4. The system (301) as claimed in claim 1, wherein the first application is blocked while trying to access the second application, based on the identification of a mismatch in the hash mapping of the second application and the first application.

5. The system (301) as claimed in claim 4, wherein the hash mapping comprises mapping of the hash identifier of the first application with the hash identifier of the second application.

6. A method (500) for providing an end user device security, the method comprising:
configuring access policy for each of a plurality of applications capable of being installed on any computing device (303), wherein the plurality of applications are prestored in a repository (219) corresponding to the operating system (207), wherein each application has a hash signature comprising a hash identifier of the said application, and wherein the access policy for each application has a permissions record comprising an identification of one or more other applications, within the repository, accessible to the said application;
receiving a request from a first application, of the plurality of applications, to access data associated with a second application of the plurality of applications;
accessing the permissions record for the first application, wherein the permissions record comprises an identification of the second application from which a permission is needed;
verifying that the first application has permission to access the data associated with the second application based, at least in part, on the permissions record; and
granting permission to access the second application, or blocking the first application based, at least in part, on the permissions record and hash mapping of the first application and the second application;
wherein the steps of configuring access policy, receiving a request, accessing the permissions record, verifying and granting the permission are performed by a processor using programmed instruction stored in a data protection layer (209) supported by block-chain technique provisioned on the operating system prestored in a memory (205) coupled with the processor (201).

7. The method (500) as claimed in claim 6, wherein the permissions record corresponding to each application includes a permissions authority digital signature that is digitally signed with a permissions authority signing key, wherein the method further comprises:
accessing the permissions authority digital signature in the permissions record; verifying the permissions authority digital signature in the permissions record;
and
granting permission to install or block the said application, based on the permissions authority digital signature in the permissions record.

8. The method (500) as claimed in claim 7, wherein the processor (201) is in synchronization with the repository (219) of the operating system (207).

9. The method (500) as claimed in claim 6, wherein the first application is blocked while trying to access the second application, based on the identification of a mismatch in the hash mapping of the second application and the first application.

10. The method (500) as claimed in claim 9, wherein the hash mapping comprises mapping of the hash identifier of the first application with the hash identifier of the second application.
, Description:FORM 2

THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003

COMPLETE SPECIFICATION
(See Section 10 and Rule 13)

TITLE OF INVENTION:
A SYSTEM AND METHOD FOR PROVIDING END USER DEVICE SECURITY

APPLICANT:
Zensar Technologies Limited, an Indian Entity,
having address as:
ZENSAR KNOWLEDGE PARK,
PLOT # 4, MIDC, KHARADI, OFF
NAGAR ROAD, PUNE-411014,
MAHARASHTRA, INDIA

The following specification describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
The present subject matter described herein, in general relates to a system and method for providing advanced end user device security. More particularly, the present subject matter relates to a data protection layer that operates on the operating system and provides enhanced security to the electronic devices.
BACKGROUND
Generally, the operating system architecture under which the computer applications execute with respect to hardware and application software is as disclosed in Figure 1. The operating system architecture operates under three prominent levels: Hardware Level, Software Level and User Level. The Hardware Level operates on hardware units of a Processor, Input / Output System such as mouse, monitor etc. and RAM which performs all the processes. Further, the Software Level consists of two parts: firstly, a System Critical Software’s Boot Image, which includes all the daemon processes and secondly, other Application Softwares, those are installed as per user requirements. Furthermore, the User Level is the Level where users operate, and execute applications as per the level of access / permission granted to the user. However, a significant problem faced while using such architectures is that, it is possible to circumvent the security levels of the architecture and inject malicious software or script into the system.
Figure 2 discloses existing software system, that is vulnerable to external attacks, cybercrimes and data thefts. In the present software architectures (200), an attacker is able to transfer malicious code to the victim’s machine in a number of ways. In such attacks, the attacker initially creates a malicious script that may be transferred to the victim’s machine. Further, the attacker creates services that the victim may interact with, and such interaction may invariably allow the malicious scripts to be installed on victim’s device. Such interactive services may include sending links or emails wherein links are embedded in the email body, or any other similar form of service. Now, as the victim interacts with such services, the malicious script installs on the victim’s machine and starts its execution. Hence, such continuous interaction of the victim with the interactive services allows the malicious scripts to be installed and executed in the form of app on the victim’s machine. Once the app is installed successfully onto the victim’s machine, the attacker may then take control over the victim’s machine. Thus, the attacker may gain control over the victim’s device and may access or misuse the data residing on the victim’s machine.
Similar scenarios are observed at the application level, wherein applications are installed on the electronic devices. Electronic devices (such as mobile devices, smartphones, tablet computers, etc.) can be configured to allow different types of applications to execute thereon. The applications can be pre-installed or downloaded, for example, over a network. For example, the applications can be downloaded from a repository that may be integrated with an operating system of the electronic device. The applications tend to access other application’s data or files with or without user’s permission.
As part of an installation of an application, the repository may be designed such that all permissions associated with an application must be accepted prior to installation of the application. These permissions can include authorizations to allow the application to access data on the electronic device. For example, some applications need permissions to access the phone logs, contacts, device's current location, device identifiers or other information uniquely identifying the device, etc. A group of applications may be associated with permissions for sharing data among plurality of applications. However, for such a permission, the group of applications must be associated with a common application provider certificate, and the group of applications may be unable to limit the types of data shared between applications associated with the common application provider certificate.
In general, when a user installs an application such as WhatsApp™ on his personal device, the application invariably accesses other application’s data such as data storage access, contacts, camera, gallery, etc. Therefore, the WhatsApp™ application may access other application’s data or files with or without user’s permission. However, one cannot guarantee that the installed application may or may not monitor another application’s sensitive data without user’s prior permission.
Further, Fig. 2 discloses a scenario when an application gets installed locally on the user device and starts accessing the data or files of the other applications residing on the user device. However, another possible scenario is that of a hacker or an uninstalled application located remotely and yet accessing the locally stored applications data or files. The currently available systems do not provide any facility to monitor such an activity of hackers or remotely located applications.
Hence, there is a long-standing need to provide a secure system for electronic devices that are vulnerable to applications seeking access to unauthorized data or applications without prior valid access permissions. Further, the secure system needs to be compatible to various operating systems that are enabled on different electronic devices.
SUMMARY
This summary is provided to introduce concepts related to a system and method for providing advanced end user device security. It must be noted herein that ‘end user device security’ throughout this disclosure refers to providing a control-oriented security to the user device and the applications installed on it. The user device is secured by harnessing the data protection layer that prevents the installation of any unauthorized applications or blocks the applications trying to access any unauthorized file or data of other application. This summary is not intended to identify essential features of the claimed subject matter nor is it intended for use on determining or limiting the scope of the claimed subject matter.
In one embodiment, the present subject matter discloses a system for providing an enhanced end user device security. The system may comprise of a processor and a memory coupled to the processor. The memory may further comprise an operating system that is provisioned with a data protection layer which is further supported by a block-chain technology. The data protection layer may comprise programmed instructions executed by the processor. The processor may execute programmed instructions to configure access policy for each of a plurality of applications capable of being installed on any computing device. The plurality of applications may refer to the pre-stored applications available in a repository corresponding to the operating system. In one aspect, each application may have a hash signature that comprises of a hash identifier for the said application. In another aspect, the access policy for each application may have a permissions record that comprises of an identification of one or more other applications that are accessible to the said application. The processor may further execute programmed instructions to receive a request from a first application to access data associated with a second application of the plurality of applications. Further, the processor may execute programmed instructions to access the permissions record for the first application. In an aspect, the permissions record of the first application may comprise an identification of the second application from which a permission is needed. The processor may further execute programmed instructions to verify whether the first application has permission to access the data associated with the second application. Furthermore, the processor may execute programmed instructions to grant permission to access the second application or block the first application from accessing the second application based on the permissions record and hash mapping of the first application and the second application.
In another embodiment, the present subject matter discloses a methodfor providing an end user device security. The method may include configuring an access policy for each of a plurality of applications capable of being installed on any computing device. The plurality of applications may be prestored in a repository that correspond to the operating system. In an aspect, each application may have a hash signature that may comprise of a hash identifier of the said application. In another aspect, the access policy for each application may have a permissions record that may identify one or more accessible applications present within the repository. The method may further include receiving a request from a first application to access data associated with a second application of the plurality of applications. Further, the method may include accessing the permissions record for the first application. In an aspect, the permissions record may comprise an identification of the second application from which a permission is needed. The method may further include verifying whether the first application has permission to access the data associated with the second application based on the permissions record. Furthermore, the method may include granting permission to access the second application or block the first application from accessing the second application based on the permissions record and hash mapping of the first application and the second application. In accordance with this embodiment, the steps of configuring access policy, receiving a request, accessing the permissions record, verifying and granting the permission are performed by a processor using programmed instructions stored in a data protection layer. Further, the data protection layer is supported by block-chain technology and is provisioned on the operating system that is prestored in a memory coupled with the processor.
BRIEF DESCRIPTION OF DRAWINGS
The detailed description is described with reference to the accompanying Figures. Reference numbers are used throughout the drawings to refer features and components.
Figure 1 illustrates a generalized architecture 100 of an operating system, in accordance with the prior art.
Figure 2 illustrates a generalized scenario 200, wherein an attacker transfers malicious code to victim’s machine as observed in the existing art.
Figure 3 illustrates an implementation 300 of a system (301) (hereinafter referred as secure file system (301) interchangeably) for providing advanced end user device security, in accordance with an embodiment of the present subject matter.
Figure 4 illustrates an overall architecture 400 of the proposed system (301) for enabling advanced user device security based on a block-chain model, in accordance with an embodiment of the present disclosure.
Figure 5 illustrates a method 500 for providing advanced end user device security, in accordance with an embodiment of the present disclosure.
Figure 6 illustrates a flow chart 600 disclosing the operation of the system (301) while installing an application.
Figure 7 illustrates a flow chart 700 disclosing the operation of the system (301) while executing an application.
Figure 8 illustrates an access mechanism (800) disclosing the remote application (801) accessing a locally stored application (803).
DETAILED DESCRIPTION
Reference throughout the specification to “various embodiments,” “some embodiments,” “one embodiment,” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, appearances of the phrases “in various embodiments,” “in some embodiments,” “in one embodiment,” or “in an embodiment” in places throughout the specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner in one or more embodiments.

Referring to Figure 3, a network implementation (300) of a secure file system (301) for providing advanced end user device security is illustrated, in accordance with an embodiment of the present subject matter.

In an embodiment, the secure file system (301) may be connected to a user device (303) over a network (302). It may be understood that the secure file system (301) may be accessed by multiple users through one or more user devices, collectively referred to as a user device (303). The user device (303) may be any electronic device, communication device, computing device, image capturing device, machine, software, automated computer program, a robot, or a combination thereof.

In an embodiment, though the present subject matter is explained considering that the system (301) is implemented (as a secure file system) on a server, it may be understood that the system (301) may also be implemented in a variety of user devices, such as, but not limited to, a portable computer, a personal digital assistance, a handheld device, a mobile, a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a mobile device, and the like. In one embodiment, system (301) may be implemented in a cloud-computing environment. In an embodiment, the network (302) may be a wireless network such as Bluetooth, Wi-Fi, 3G, 4G/LTE and alike, a wired network or a combination thereof. The network (302) can be accessed by the user device (303) using wired or wireless network connectivity means including updated communications technology.

In one embodiment, the network (302) can be implemented as one of the different types of networks, cellular communication network, local area network (LAN), wide area network (WAN), the internet, and the like. The network (302) may either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another. Further, the network (302) may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.

Further, referring to Figure 3, various components of the secure file system (301) are illustrated, in accordance with an embodiment of the present subject matter. As shown, the system (301) may include at least one processor (201), an input/output interface (203), a memory (205), operating system (207), data protection layer (209), programmed instructions (211) and data (217). In one embodiment, the at least one processor (201) is configured to fetch and execute computer-readable instructions stored in the memory (205).

In one embodiment, the I/O interface (203) implemented as a mobile application or a web-based application and may further include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface (203) may allow the system (301) to interact with the user devices (303). Further, the I/O interface (203) may enable the user device (303) to communicate with other computing devices, such as web servers and external data servers (not shown). The I/O interface (203) can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. The I/O interface (203) may include one or more ports for connecting to another server. In an exemplary embodiment, the I/O interface (203) is an interaction platform which may provide a connection between users and system (301).

In an implementation, the memory (205) may include any computer-readable medium known in the art including, for example, volatile memory, such as static random-access memory (SRAM) and dynamic random-access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and memory cards. The memory (205) may include an operating system (207) and data (217).

In one embodiment, the operating system (207) may include the system software that manages computer hardware, software resources, and provides common services for computer programs. The operating system (207) may include a data protection layer (209). The data protection layer (209) may include programmed instructions (211) executed by the processor (201).

In one embodiment, the programmed instructions (211) may include, routines, programmes, objects, components, data structures, etc. which perform particular tasks, functions, or implement particular abstract data types. Further, the programmed instructions (211) may include policy module (213) and blockchain module (215). The data (217) may comprise a data repository (219), and other data (221). The data repository (219) may store multiple applications corresponding to the operating system (207). The other data (221) amongst other things, serves as a repository for storing data processed, received, and generated by one or more components and programmed instructions.

The aforementioned computing devices may support communication over one or more types of networks in accordance with the described embodiments. For example, some computing devices and networks may support communications over a Wide Area Network (WAN), the Internet, a telephone network (e.g., analog, digital, POTS, PSTN, ISDN, xDSL), a mobile telephone network (e.g., CDMA, GSM, NDAC, TDMA, E-TDMA, NAMPS, WCDMA, CDMA-2000, UMTS, 3G, 4G), a radio network, a television network, a cable network, an optical network (e.g., PON), a satellite network (e.g., VSAT), a packet-switched network, a circuit-switched network, a public network, a private network, and/or other wired or wireless communications network configured to carry data. Computing devices and networks also may support wireless wide area network (WWAN) communications services including Internet access such as EV-DO, EV-DV, CDMA/1×RTT, GSM/GPRS, EDGE, HSDPA, HSUPA, and others.

The aforementioned computing devices and networks may support wireless local area network (WLAN) and/or wireless metropolitan area network (WMAN) data communications functionality in accordance with Institute of Electrical and Electronics Engineers (IEEE) standards, protocols, and variants such as IEEE 802.11 (“WiFi”), IEEE 802.16 (“WiMAX”), IEEE 802.20x (“Mobile-Fi”), and others. Computing devices and networks also may support short range communication such as a wireless personal area network (WPAN) communication, Bluetooth® data communication, infrared (IR) communication, near-field communication, electromagnetic induction (EMI) communication, passive or active RFID communication, micro-impulse radar (MIR), ultra-wide band (UWB) communication, automatic identification and data capture (AIDC) communication, and others.

The working of the system (301) in facilitating advanced user device security will now be described in detail referring to Figures 3, 4, 5, 6,7 and 8 as below:

Referring to Fig. 3, a system (301) for providing an end user device security is illustrated, in accordance with an embodiment of the present disclosure. In one embodiment, the system (301) may include memory (205) that is coupled to the processor (201). The memory (205) may comprise an operating system (207) that is provisioned with a data protection layer (209). The data protection layer (209) may be enabled with the block-chain technology, wherein a blockchain represents a linked list of transactions that contains data and a hash pointer. The hash pointer may point to the previous block in the blockchain. Therefore, the data protection layer (209) in the present subject matter may function based on the verification of a hash and digital signatures, revealed through block-chain mechanism. Further, the data protection layer (209) may comprise programmed instructions (211) that may configure access policy for each of a plurality of applications that are capable of being installed on any computing device. The plurality of applications may be pre-stored in a repository (219) of the corresponding operating system (207). Further, each application has a hash signature that may comprise of a hash identifier. Furthermore, the access policy for each application may have a permissions record that may comprise of the identification of one or more other applications present within the repository (219) that are accessible to the said application. In addition, the permissions record corresponding to each application may include a permissions authority digital signature that is digitally signed with a permissions authority signing key. The permissions authority digital signature may be used by the system (301) to verify and grant permission to install or block the application or an update of any application.

In one embodiment, the processor (201) may be configured for receiving a request from a first application to access data associated with a second application of the plurality of applications. The processor (201) may be further configured to access the permissions record for the first application. The permissions record of the first application may comprise an identification of the second application from which a permission is needed. The processor (201) may be further configured to verify whether the first application has permission to access the data associated with the second application. The processor (201) may be further configured to grant permission to access the second application, or block the first application from accessing the second application based on the permissions record and hash mapping of the first application and the second application.
In another embodiment, the locally available application may be remotely accessed by an application or a user. In such scenarios, the disclosed data protection layer (209) may verify the accessing application’s or user’s authenticity. Once verified, the system (301) may grant permission to the remotely located user or application to access the application’s data. In another embodiment, if the user’s or application’s authenticity has a discrepancy, then the remote application or the user may be blocked from accessing the locally stored application. Therefore, the data protection layer (209) of the disclosed secure file system (301) may also facilitate monitoring such scenario, wherein the locally stored application is remotely being accessed by the user or another application.

In one embodiment, the data repository (219) for the corresponding operating system (207) may include AppStore® for MacOS®, Google play store® for android®, etc.

In another embodiment, the system (301) is in synchronization with the data repository (219) of the operating system (207).

In another embodiment, the applications may include contacts, phone logs, gallery, WhatsApp application, Instagram application, calendar information, information about the device's current location and location history, device identifiers etc. or its data.

Now, referring to Figure 4, the architecture (400) of the system (301) for providing an end user device security is illustrated, in accordance with an embodiment of the present disclosure. The disclosed system (301) may be in synchronization with all the repositories (401) of operating systems (402). The examples as disclosed in Fig. 2 may include AppStore for MacOS or Iphone based system, Google Play Store for Android based system, Windows for Microsoft, Linux repository for the Linux operating system. It must be noted herein that these repositories and the corresponding Operating Systems thereof have been described as an exemplary embodiments and the person skilled in the art can easily realize and appreciate that the present subject matter is not limited to these Operating Systems and repositories but can be extended to cover any other operating system and repository thereof without departing from the scope of the present subject matter.

Further, the architecture (400) of the system (301) may include secure file system module (403), that may provide blockchain based advanced security feature to the operating systems of the computing platforms. In another embodiment, all the applications published in the repository (401) may have their own hash signature. Further, all the applications published over the repositories (401) may also have the details regarding the applications or files or storage data they may access.

In one implementation, as the user downloads or installs the application, the blockchain based advanced security feature of the disclosed system (301) becomes operational. The security mechanism of the secure file system module (403) includes three modules:
1. Access Issuer: The Access Issuer module may grant permission to the applications requesting to access data of other applications based on the user’s settings. Therefore, the applications may be able to access other application’s data or files only if the owner has agreed upon granting access to the requested application or its data.
2. Permission Holder: The Permission Holder module may hold the permissions data, once the application is granted permission to access other application’s data or files.
3. Access Verifier: The Access Verifier module may verify that the application is holding the required permissions data for accessing other application’s data /or files. In another embodiment, if the verifier module detects any mismatch or discrepancy in the permissions data, it may instantly block the execution of the application seeking access to other application’s files.

Therefore, in general, the published app in the repository may have a verified hash, which may be verified by the secure file system module (403). The disclosed system may allow download or installation of the file or application if the corresponding app is verified by the repository and the application describes its access rights to access data of other applications or files or application logs.

In another embodiment, once the hash and access policy are verified, the system may allow the application to be installed into the local computing device. Further, as all the necessary permission to access data or other application’s files is specified and verified at the repository, the application may hold a hash ID. The hash ID may be used by the application to index to other application’s data or files.

In another embodiment, as the application tries to access data or logs of some other application, the access verifier module may check the hash index of the application (similar to hash mapping of one application to other application or data of the other application). Further, if the verifier module detects any mismatch in the hash index, it may instantly block the execution of the application seeking access to other application’s files.

Therefore, in general, the blockchain based advanced security feature of the disclosed system (301) may validate each application’s activity during its installation and also once it gets installed on the user electronic device. Further, the blockchain based security feature may verify the access rights of any application every single time it tries to access other application’s data or files.

In another embodiment, since the blockchain based advanced security feature of the disclosed system (301) acts as a layer over any operating system, enhanced security is provided while installing application updates or preventing accidental installation or download of cracked version of any software as the hash ID is verified before installation of the software.

In one embodiment, consider an application is available in the repository for download. The application may have a verified hash, which may be verified by the secure file system (301). Upon verifying, the system (301) may allow downloading/installation of the application, if the application’s hash is verified and the application holds the details of the access permission disclosing the other application’s data it can access. Upon verifying the above criteria, the application is installed on the local user machine. The installed application may hold a hash ID, so that the hash ID can be used by the system (301) to monitor the activity of the installed application as it tries to access other application’s data. As the application accesses other application’s data, the hash ID of the accessor application and the accessing application is mapped. On mapping the hash values, the accessor application is granted permission to access other application’s data or blocked from execution if the hash mapping shows some mismatch or discrepancy.

In another embodiment, the application may be a remote application, having a hash signature. As the remote application tries to access the local application’s data, its hash signatures are verified by the access verifier of the system (301). In case of discrepancy, the remote application is blocked from execution.

Now, referring to figure 5, a method (500) depicting a secure file system module (403) for providing advanced user device security is illustrated in accordance with the embodiments of the present disclosure. The order in which method (500) is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method (500) or alternate methods. Furthermore, the method (500) can be implemented in any suitable hardware, software, firmware, or combination thereof. However, for the ease of explanation, in the embodiments described below, the method (500) may be implemented in the above described system (301).

At step (501), the processor (201) may be configured for configuring access policy for each of a plurality of applications capable of being installed on any computing device. The plurality of applications may be pre-stored in a repository corresponding to the operating system. Each application of the plurality of applications may have a hash signature that may comprise a hash identifier of the said application. Further, the access policy for each application may have a permissions record that may comprise an identification of one or more other applications present within the repository, that are accessible to the said application.

At step (503), the processor (201) may be configured for receiving a request from a first application to access data associated with a second application of the plurality of applications.

At step (505), the processor (201) may be configured for accessing the permissions record for the first application, wherein the permissions record may comprise an identification of the second application from which a permission is needed.

At step (507), the processor (201) may be configured for verifying that the first application has permission to access the data associated with the second application based on the permissions record.

At step (509), the processor (201) may be configured for granting permission to access the second application or blocking the first application based on the permissions record and hash mapping of the first application and the second application.

Now, referring to figure 6, the flowchart (600) disclosing the operation of the secure file system module (403) while installing an application is illustrated. The secure file system module (403) may access the repository to install an application in the end computing device. The published application in the repository may have a verified hash, which may be verified by the secure file system module (403). The secure file system module (403) may allow installation or download of the file or app if the corresponding application is verified by the repository and the application discloses its access permissions to data or other application’s logs. On verification, the secure file system module (403) may allow the application to be installed in the local end computing device.

Now referring to figure 7, the flowchart (700) disclosing the operation of the system (301) while executing an application is illustrated. In one embodiment, all the necessary access permissions to data or other application’s data may be specified and verified at the repository. Hence, the application may hold a hash ID, used to index or map the other application’s data or files. Now, as the application tries to access data or logs of some other application, the access verifier module may check the hash index (similar to hash mapping to other application or data of other application). The application may be allowed to access other application’s data and execute its operation, in case the hash index is mapped between the two applications. On the contrary, the application may be blocked from execution, if the hash index of the two applications does not reveal mapping of any sort.
Now referring to figure 8, an access mechanism (800) disclosing the remote application (801) accessing a locally stored application (803) is illustrated. In one embodiment, the remote application (801) tries to access the locally stored application’s data (803). The protection layer (802) of the secure file system (301) becomes operational as soon as the remote application (801) sends an access request to the system (301). On receiving the request, the protection layer (802) verifies the hash signature of the accessor application. In one embodiment, the system (301) may also access the third-party authenticator to verify the application’s authenticity. On verifying the hash signatures of the remote application (801), the protection layer (802) grants permission to access the locally stored application (803) based on hash signatures. Further, the protection layer (802) also monitors the activity of the remote application (801) as it tries to access various files or data of the local application (803). Therefore, the protection layer (802) continuously monitors the remote application’s (801) activity to provide a control-oriented security to the operating system. In one embodiment, when the remote application (801) tries to access local application’s (803) sensitive data requiring access permissions, the access verifier of the protection layer (802) may check the hash index (similar to hash mapping to other application or data of other application), and allow or block the execution of the remote application (801) depending on the hash signatures.
The system (301) for providing an end user device security as described in present disclosure may provide multiple advantages involving but not limited to:
• The system (301) proposes a data protective layer that is device agnostic and can be embedded into any operating system.
• The disclosed system (301) provides a novel architecture that employs a highly secure blockchain model into the end user device.
• The disclosed system (301) provides a security layer for all applications, currently installed or to be installed on the end computing device, trying to access data storage or other application’s data, without prior access permissions or users granting permissions.

The embodiments, examples and alternatives of the preceding paragraphs or the description and drawings, including any of their various aspects or respective individual features, may be taken independently or in any combination. Features described in connection with one embodiment are applicable to all embodiments, unless such features are incompatible.

Although implementations for the secure file system (301) and the method (500) thereof have been described in language specific to structural features and/or methods, it is to be understood that the approached claims are not necessarily limited to the specific features or methods described. Rather, the specific features and method are disclosed as examples of implementations for the secure file system (301) and the method (500) thereof.

The foregoing description shall be interpreted as illustrative and not in any limiting sense. A person of ordinary skill in the art would understand that certain modifications could come within the scope of this disclosure. For limiting the scope of the invention, a subsequent Complete Specification be filed to determine the true scope and content of this disclosure.

Dated this 20th Day of April 2020

Priyank Gupta
Agent for Applicant
IN-PA-1454