[go: up one dir, main page]

WO2015142233A1 - Application user control - Google Patents

Application user control Download PDF

Info

Publication number
WO2015142233A1
WO2015142233A1 PCT/SE2014/050328 SE2014050328W WO2015142233A1 WO 2015142233 A1 WO2015142233 A1 WO 2015142233A1 SE 2014050328 W SE2014050328 W SE 2014050328W WO 2015142233 A1 WO2015142233 A1 WO 2015142233A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
authorised
ies
user
user control
Prior art date
Application number
PCT/SE2014/050328
Other languages
French (fr)
Inventor
Ester Gonzalez De Langarica
Afshin Abtin
Mattias Dahlqvist
Cormac Hegarty
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/SE2014/050328 priority Critical patent/WO2015142233A1/en
Publication of WO2015142233A1 publication Critical patent/WO2015142233A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to methods and apparatus for controlling user equipment access to and/or use of one or more application(s) in a communications network.
  • IP Multimedia Subsystem is the technology defined by the Third Generation Partnership Project (3GPP) to provide IP Multimedia services over mobile communication networks. IP Multimedia services provide a dynamic combination of voice, video, messaging, data, etc. within the same session.
  • the IMS makes use of the Session Initiation Protocol (SIP) to set up and control calls or sessions between user terminals.
  • SIP Session Initiation Protocol
  • SDP Session Description Protocol
  • SIP was created as a user-to-user protocol
  • the IMS allows operators and service providers to control user access to services and to charge users accordingly.
  • FIG. 1 illustrates schematically how the IMS fits into the mobile network architecture in the case of a General Packet Radio Service (GPRS) communication network.
  • GPRS General Packet Radio Service
  • a control of communications occurs at three layers (or planes).
  • the lowest layer is the Connectivity Layer 1 , also referred to as the bearer plane and through which signals are directed to/from user equipment (UE) accessing the network.
  • the entities within the connectivity layer 1 that connect an IMS subscriber to IMS services form a network that is referred to as the IP-Connectivity Access Network, IP- CAN.
  • the GPRS network includes various GPRS Support Nodes (GSNs).
  • GSN GPRS Support Nodes
  • GGSN gateway GPRS support node
  • the middle layer is the Control Layer 4, and at the top is the Application Layer 6.
  • the IMS 3 includes a core network 3a, which operates over the middle, Control Layer 4 and the Connectivity Layer 1 , and a Service Network 3b.
  • the IMS core network 3a includes nodes or network entities that send/receive signals to/from the GPRS network via the GGSN 2a at the Connectivity Layer 1 and network nodes that include Call/Session Control Functions (CSCFs) 5, which operate as SIP proxies within the IMS in the middle, Control Layer 4.
  • CSCFs Call/Session Control Functions
  • the 3GPP architecture defines three types of CSCFs: the Proxy CSCF (P-CSCF) which is the first point of contact within the IMS for a SIP terminal; the Serving CSCF (S-CSCF) which provides services to the user that the user is subscribed to; and the Interrogating CSCF (l-CSCF) whose role is to identify the correct S-CSCF and to forward to that S-CSCF a request received from a SIP terminal via a P-CSCF.
  • P-CSCF Proxy CSCF
  • S-CSCF Serving CSCF
  • l-CSCF Interrogating CSCF
  • the top, Application Layer 6 includes the IMS service network 3b.
  • Application Servers (ASs) 7 are provided for implementing IMS service functionality.
  • the Home Subscriber Server (also known as a Home Location Register (HLR), User Profile Server Function (UPSF), centralised user database (CUDB) or master user database) is a subscriber server or user database that stores user subscription information or user profile information associated with UEs within the communication network.
  • HSS Home Location Register
  • UPSF User Profile Server Function
  • CUDB centralised user database
  • the Sh interface may be used to exchange user subscription or user profile information (e.g. user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between network entities/nodes/ASs and the HSS.
  • the UE may comprise or represent any device used for communications.
  • Examples of UE that may be used in certain embodiments of the described network(s) are wireless devices such as mobile phones, terminals, smart phones, portable computing devices such as laptops, hand-held devices, tablets, net books, computers, personal digital assistants and other wireless communication devices, or wired communication devices such as telephones, computing devices such as desktop computers, set-top boxes, and other fixed communication devices.
  • Communication networks may comprise or represent any network used for communications with UEs connected to the communications network.
  • Examples of communications networks include, but are not limited to, wireless networks such as the Worldwide Interoperability for Microwave Access (WiMAX), wireless local area networks (WLAN) based on the Institute of Electrical and Electronics Engineers' (IEEE) 802.11 standards e.g.
  • Wi-Fi networks or Internet Protocol (IP) networks, packet- switched networks or enhanced packet switched networks, telecommunication networks, IMS networks or networks supporting IMS, or communications networks based on wireless, telecommunication, cellular or satellite technologies such as mobile networks, Global System for Mobile Communications (GSM), GPRS networks, Wideband Code Division Multiple Access (W-CDMA), CDMA2000 or Long Term Evolution (LTE)/LTE Advanced networks or any 2 nd , 3 rd or 4 th Generation and beyond type communication networks.
  • GSM Global System for Mobile Communications
  • W-CDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • LTE Advanced networks any 2 nd , 3 rd or 4 th Generation and beyond type communication networks.
  • Rich Communications Services (also known as Rich Communications Suite services) is a platform for enabling network operators to deliver communication experiences beyond voice and short-message-services (SMSs).
  • RCS relies on IMS core network for session control and service establishment as specified by the 3GPP.
  • RCS can provide consumers with instant messaging or chat, live video, applications (e.g. games, chat-based games, multimedia and news services, mobile learning, smart ads and promotions, etc.), and file sharing across devices, on any network.
  • RCS may also enable network operators to generate new revenue streams through the creation of applications (apps) and business-to-business (B2B) services.
  • RCS can facilitate IMS end-user services deployment, and so may also facilitate IMS basic communication services (IMS CoSe), which are identified by an IMS communication service identifier (ICSI), and applications, which are identified by an IMS application reference identifier (IARI).
  • IMS CoSe IMS basic communication services
  • ICSI IMS communication service identifier
  • IARI IMS application reference identifier
  • Network operators are deploying RCS to ensure their service retains relevance for users and keeping them connected, while at the same time offering solutions and alternative products and applications to third-party over the top (OTT) application providers/markets.
  • OTT application provides/markets may include the Google Android Market (e.g. Google Play), Apple iTunes App Store, and Windows (Microsoft) App Store.
  • Network operators may also develop App stores that may contain network operator specific applications and/or third party applications (e.g. RCS applications) that users can browse/download/purchase and install on their UEs.
  • OTT application markets include Google Android Market (Google Play) (RTM), Apple iTunes App Store (RTM), and Windows App Store (RTM), which host a myriad number of applications for use with UEs compatible with each application market place, e.g. an Android (RTM) phone user may use Google Play (RTM) to download applications, an iPhone (RTM) user may use the Apple iTunes App Store (RTM) and a Windows (RTM) phone user may use the Wndows App Store (RTM).
  • Google Play Google Play
  • RTM Apple iTunes App Store
  • RTM Windows App Store
  • users do not really have any control over what types of applications they have access to on the OTT markets. For example, an application that is offensive to one user may not be offensive to another user, but if the application is listed on an application market it will be shown to all users when they browse/search through the myriad of applications in the market.
  • a family may have one user subscription with multiple UEs associated with the user subscription, which allows each UE to be distributed among the family members, e.g. the parents may each have a UE and each child in the family may have a UE, in which all UEs are associated with a user subscription that is controlled and paid for by the parents.
  • a company may provide employees with UEs that may be tied to one or more company user subscriptions or profiles, where the company pays for the charges incurred for the employee's use of the UE.
  • the controlling users e.g. the parents or the company, may need to control the content and applications that are used on the UE.
  • parents typically provide children with UEs so they may be contacted in an emergency.
  • giving a child a UE can also expose the child to the OTT application market and other App stores.
  • there may be applications available for the UEs with adult content e.g. rated for > 18 years old.
  • the application may display a text box asking the user of the UE whether they are an adult, if the user of the UE is a child, they can simply answer in the affirmative to gain access to the application and the related adult content.
  • the application may use in-app purchases, or require a subscription, or is simply payment for downloading the application, which could be charged to the account associated with the user subscription or user profile associated with the UE.
  • OTT application market and/or applications themselves may provide warnings when payment may be required, it is typically all too easy for anyone using the UE to reply in the affirmative to gain access to the application.
  • adults may be able to keep track of such expenses, children are typically unaware of the costs associated with applications, which may result in unexpectedly large bills from the network operator for applications a child may access/download/install and use on their UE.
  • Other solutions may be required.
  • companies may provide their employees with company UEs for their day-today work. However, by giving an employee a UE the company has to trust that the employee will use the company UE appropriately.
  • the application may use in-app purchases, or require a subscription, or is simply payment for downloading the application, which could be charged to the company UE account associated with the user subscription or user profile associated with the UE.
  • the OTT application market and/or applications themselves may provide warnings when payment may be required, it is typically all too easy for anyone using the UE to reply in the affirmative to gain access to the application.
  • One such solution may be parental control applications or user control software that may be explicitly installed on a UE. These are applications or software that allow parents (or even companies) to configure which applications the children or employees can download and use. But each of the UEs provided to children or employees are required to be configured appropriately.
  • This application allows the parent to select a list of applications that are allowed to be used on a UE among the installed applications.
  • RTM Google Play's
  • This application can prevent the children to download or purchase new applications.
  • parental control applications or user control software installed on UEs have several drawbacks. These types of applications need to be configured per UE. That is the parent has to understand the application and take the time to configure the UE.
  • the company will need to configure each of the UEs for the workforce that has a company UE, this can be a complex, expensive, and time-consuming process.
  • the configuration of each UE must be changed if the list of restricted or allowed applications changes.
  • Another drawback is that the parental control application of user control software is typically visible; therefore the user can see and are reminded all the time that they are being restricted. Further, if the user swaps device or manages to uninstall the parental control application the restriction rules disappear. There does not seem to be efficient, secure, or easy to use parental control application or user control software available in the current OTT application markets.
  • the user control or parental control applications and mechanisms currently available are both unreliable, difficult to use and enforce, have a low level of security, which may lead to increased cost and irreparable harm to young users (children) and increased costs to companies to configure and enforce company UEs.
  • OTT application markets provide some limited support for parental control applications or user control applications/software, these applications may not provide total control to confidence controlling users (e.g. parents and/or company IT administrators) on the applications a UE may have access to. This may have a detrimental impact on the trust placed in such systems associated with such application markets.
  • the present invention uses existing communication network authentication mechanisms in conjunction with a user's subscription or user profile associated with the UE to enforce user control policy(ies) for authorising access to and/or use of one or more applications available to the UE.
  • the invention provides that user control policy(ies) are not specific to each UE, but are instead specific to the user identity or user subscription or user profile associated with the UE, where the user subscription for one or more UEs is stored in the communication network.
  • a method for controlling access to applications in a communications network including IMS, an AS, and a plurality of UEs. At least one of the applications is associated with an application profile information.
  • the method, performed by the AS includes receiving a message associated with a UE of the plurality of UEs for access to one or more of the application(s).
  • the AS retrieves one or more user control policy(ies) associated with the UE, where the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
  • the AS determines whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the one or more application(s).
  • the AS sends, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
  • determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is authorised to access said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application.
  • determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application.
  • determining whether one or more application(s) are authorised to be accessed by the UE may further include, for an application not associated with any application profile information, determining the UE is authorised to access said application.
  • determining further includes generating a list of authorised application
  • sending an indication further includes sending data representative of the generated list of authorised applications.
  • sending an indication may further include sending a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s).
  • sending an indication may further include sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
  • the response message indicating the request for access was successful is a SIP successful response message
  • the response message indicating the request for access failed is a SIP client failure response message.
  • the SIP successful response message may be a SIP 200 OK message.
  • receiving a message associated with the UE further includes receiving a request for accessing the one or more application(s), and sending the indication further includes sending data representative of the one or more application(s) authorised to be accessed and/or used by the UE for display to the user of the UE.
  • the request is a Hypertext Transfer Protocol (HTTP) request
  • the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE.
  • HTTP Hypertext Transfer Protocol
  • determining further includes determining the one or more application(s) that are not authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more application(s).
  • Sending an indication further includes sending data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
  • receiving a message further includes receiving a request to retrieve at least one of the one or more application(s) from the AS.
  • Sending an indication further includes sending data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
  • the request to retrieve at least one of the one or more application(s) is a SIP request.
  • receiving a message further includes receiving an authorisation request associated with the UE from the network, the authorisation request including the identity of each of said one or more application(s) being accessed by said UE.
  • Sending an indication further includes sending data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE.
  • sending an indication further includes sending data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE includes sending a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s) and/or sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
  • the response message indicating the request for access was successful is a SIP successful response message
  • the response message indicating the request for access failed is a SIP client failure response message.
  • the SIP successful response message may be a SIP 200 OK message.
  • the authorisation request is from the IMS and is triggered by the IMS due to communications over the network by one or more of the application(s) being accessed and/or used on the UE.
  • the authorisation request is from a capabilities exchange AS in response to a capabilities exchange related to the one or more of the application(s) being accessed and/or used by the UE.
  • the identity of each of said one or more application(s) is based on IMS application reference identifiers of each of said one or more application(s).
  • the communication network further comprises an application database accessible by the AS.
  • the application database includes a plurality of records, where each record is associated with an application and includes the application profile information associated with said application.
  • Determining further includes accessing the application database and retrieving one or more applications based on the user control policy(ies) associated with the UE and the application profile information associated with the one or more applications. Additionally or alternatively, determining may further include accessing the application database and retrieving one or more records associated with said applications based on the user control policy(ies) associated with the UE and the application profile information associated with the one or more applications.
  • the applications are not authorised to be accessed by the UE, then sending a notification message indicating the one or more applications the UE is not authorised to access to another UE of a user authorised to control the user control policy(ies) associated with the UE.
  • retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from an AS hosting the user subscription or user profile associated with the UE. Additionally or alternatively, retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from another AS having access to the user control policy(ies) after the UE registered with the IMS.
  • the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
  • a method for controlling access to applications in a communications network including an IMS, an AS and a plurality of UEs and at least one of the application(s) is associated with an application profile information.
  • the method performed by an apparatus associated with a UE includes transmitting a message to the AS for access to one or more of the application(s), and receiving, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information.
  • the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
  • receiving an indication further includes receiving data representative of the one or more application(s) authorised to be accessed by the UE.
  • the message comprises an HTTP request, and the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE.
  • receiving an indication further includes receiving data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
  • transmitting a message further includes transmitting a request to retrieve at least one of the one or more application(s) from the AS.
  • Receiving an indication further includes receiving data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
  • receiving the indication further includes receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s), and/or receiving a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
  • the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
  • the communications network includes an IMS, an AS and a plurality of UEs and at least one of the applications is associated with an application profile information.
  • the method performed by an AS in the IMS, includes transmitting an authorisation request associated with the UE to said AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE.
  • the method also includes receiving data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile.
  • the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
  • receiving data representative of whether the UE is authorised or not further includes receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s), and/or receiving a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
  • the authorisation request is triggered when the AS in the IMS detects to communications over the network by one or more of the application(s) being accessed or in use on the UE.
  • the AS in the IMS is a capabilities exchange AS and the authorisation request is in response to a capabilities exchange related to the one or more of the application(s) capable of being accessed or used by the UE.
  • the identity of each of said one or more application(s) may be based on IMS application reference identifiers of each of said one or more application(s).
  • the user control policy(ies) include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
  • a method for controlling access to applications in a communications network includes an IMS, an AS associated with the applications, and a plurality of UEs and at least one of the applications is associated with application profile information.
  • the method performed by another AS, includes detecting IMS registration of a UE from the plurality of UEs, and retrieving user control policy(ies) associated with the UE from the user subscription or profile associated with the UE.
  • the user control policy(ies) may be previously stored or associated with the user subscription or profile associated with the UE.
  • the method further includes storing the user control policy(ies) associated with the UE, and receiving a request for the user control policy(ies) associated with the UE from the AS associated with the applications.
  • the user control policy(ies) include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
  • a method for use in controlling access to applications in a communications network including an IMS and a plurality of UEs, where at least one of the applications is associated with application profile information.
  • the method performed by an apparatus, includes the steps of triggering a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s)
  • the method also includes retrieving one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies), and retrieving application profile information associated with at least one of the one or more application(s).
  • the method includes the steps of determining whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications, and indicating, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE.
  • determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information, determining the UE is authorised to access said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application.
  • determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application.
  • the step of determining whether one or more application(s) are authorised to be accessed by the UE further includes, for an application not associated with any application profile information, determining the UE is authorised to access said application.
  • the step of determining whether one or more application(s) are authorised to be accessed by the UE further includes, for an application not associated with any application profile information, determining the UE is not authorised to access said application.
  • the communication network further includes an application database accessible by the apparatus, the application database comprising a plurality of records, where each record is associated with an application and includes the application profile information associated with said application.
  • the step of retrieving the application profile information further comprises retrieving one or more application profile information associated with the one or more applications.
  • at least one of the one or more application(s) includes application profile information and the step of retrieving the application profile information further includes extracting the application profile information from said at least one of the one or more application(s).
  • retrieving one or more user control policy(ies) associated with the UE further includes retrieving said one or more user control policy(ies) associated with the UE from an subscriber server or an AS hosting the user subscription or user profile associated with the UE.
  • the user control policy(ies) includes one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
  • an AS for use in controlling access to applications in a communications network.
  • the communications network includes an IMS and a plurality of UEs and at least one of the applications is associated with an application profile information.
  • the AS including a processor, transmitter, receiver and a memory, said memory containing instructions executable by said processor.
  • the AS is configured to receive a message associated with a UE of the plurality of UEs for access to one or more of the application(s) and to retrieve one or more user control policy(ies) associated with the UE.
  • the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies).
  • the AS is further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications.
  • the AS is configured to send, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
  • an apparatus in controlling access to applications in a communications network.
  • the communications network includes IMS, an AS and a plurality of UEs. At least one of the applications is associated with an application profile information.
  • the apparatus including means configured to transmit a request message associated with a UE of the plurality of UEs to the AS for access to one or more of the application(s).
  • the apparatus is further configured to receive, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed or used by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information.
  • the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies).
  • the apparatus is configured to be used in a UE, i.e. the UE has the functionality of the apparatus.
  • an AS for use in controlling access to applications in a communications network.
  • the communications network includes an IMS, a second AS and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the AS including means configured to transmit an authorisation request associated with the UE to said second AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE.
  • the AS is further configured to receive, from the second AS, data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile information.
  • the user subscription or profile associated with the UE may be stored in the network and may include the user control policy(ies).
  • a user control AS for use in controlling access to applications in a communications network.
  • the communications network including an IMS, an AS associated with the applications, and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the user control including means configured to detect IMS registration of a UE from the plurality of UEs, and retrieve user control policy(ies) associated with the UE from the user subscription or profile associated with the UE.
  • the user control policy(ies) may have been previously stored or associated with the user subscription or profile associated with the UE.
  • the user control AS is further configured to store the user control policy(ies) associated with the UE, and receive a request for the user control policy(ies) associated with the UE from the AS associated with the applications.
  • the user control AS is further configured to transmit, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
  • an apparatus for use in controlling access to applications in a communications network including an IMS and a plurality of UEs, where at least one of the applications is associated with application profile information.
  • the apparatus including means is configured to trigger a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s).
  • the apparatus is configured to retrieve one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies), and to retrieve application profile information associated with at least one of the one or more application(s).
  • the apparatus is further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications.
  • the apparatus is configured to indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE.
  • the apparatus is configured to be used in a UE, i.e. the UE has the functionality of the apparatus.
  • a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out one of more of the method(s) as described or the functionality of the ASs and apparatus as described.
  • a carrier may be provided containing the computer program as described, where the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.
  • Figure 1 is a diagram illustrating a typical communications network
  • Figure 2 is a flow diagram illustrating an example process performed by an AS according to the present invention
  • Figure 3a is a signalling flow diagram illustrating an example process of controlling access to one or more applications according to the present invention
  • Figure 3b is a signalling flow diagram illustrating another example process of controlling access to one or more applications according to the present invention.
  • Figure 3c is a signalling flow diagram illustrating an example process of initialising the communication system for use in controlling access to one or more applications according to the present invention
  • Figure 3d is a signalling flow diagram illustrating a further example process of controlling access to one or more applications according to the present invention
  • Figure 4a is a signalling flow diagram illustrating an example process of controlling access to one or more applications according to the present invention
  • Figure 4b is a signalling flow diagram illustrating another example process of controlling access to one or more applications according to the present invention
  • Figure 4c is a signalling flow diagram illustrating a further example process of controlling access to one or more applications according to the present invention
  • Figure 4d is a signalling flow diagram illustrating a yet another example process of controlling access to one or more applications according to the present invention
  • FIG. 5 is a schematic illustration of an example apparatus according to the invention.
  • Figure 6 is a schematic illustration of an example AS according to the invention
  • Figure 7 is a schematic illustration of an example network entity/AS according to the invention.
  • Figure 8 is a schematic illustration of an example user control AS 800 according to the invention.
  • the invention as proposed herein improves the efficiency of enforcing user control policies when accessing and/or using one or more application(s) during browsing, downloading and purchasing applications in a communications network (e.g. an IP communications network or IMS based communications network), while at the same time improving the usability, security and reliability of the enforcement mechanism(s) for providing the control of access and/or use of the one or more applications.
  • the invention consists of mechanism(s) provided by the network for enforcing user control policies when accessing and using applications (e.g. RCS applications) such as, by way of example, browsing/downloading/purchasing/installing and executing such applications.
  • the mechanism(s) use a combination of communication network authentication (e.g. IMS network authentication), user control policy(ies) about the user preferences regarding application(s) and application profile information of one or more application(s) both of which are maintained in and provided by the network.
  • the enforcement of the user control policies is performed based on, among other information, on the identity of one or more application(s) (e.g. IMS Application Reference Identifier (IARI)), which is used to retrieve any application profile information associated with each of the one or more application(s) and which is applied to the user control policy(ies) for determining the application(s) the user is authorised to access and use on the UE.
  • IMS network authentication e.g. IMS network authentication
  • IARI IMS Application Reference Identifier
  • the primary enforcement mechanism resides within the network and has access to the user subscription or profile associated with a UE, which are stored within the network (e.g. within a home subscriber server (HSS)).
  • This enforcement mechanism may be an AS configured to enforce the user control policy(ies) associated with the UE of the user against application profile information associated with one or more applications.
  • the user subscription or profile may include the user control policy(ies), which are accessible by the mechanism(s) when the associated UE of the user registers with the communication network.
  • the service provider or application developer for an application registers the application and provides application profile information including data representative indicating the suitability of the application to various users.
  • the application profile information may include various information based on, but not limited to, age, gender, religion, genre of the application, application type, free applications with/without adware, certified/non-certified applications, popularity and ratings, application content type, parental control information, reputation of the application(s), time of access to the application.
  • the user control policy(ies) define the type of rules and/or policy(ies) that the user that controls the user control policy(ies) would like to enforce to authorise or unauthorised various content such as applications during, among other things, browsing/downloading/purchasing/installing and executing and/or viewing such applications or content for particular one or more UEs associated with the user's user subscription or profile.
  • the user control policy(ies) may also include details of the user of the UE, for example, the age of the user, gender, religion, parent contact details, parental control information or rules etc.
  • the application profile information may be applied to the user control policy(ies) to determine and/or enforce whether the application is authorised or not authorised for access and/or use by one or more UE's associated with the user control policy(ies).
  • This process may be implemented and maintained within the security of the communication network and may be inaccessible to the user of the UE, unless the user has access and authorisation to create/change/delete the user control information associated with the user subscription or profile that is stored securely within the communication network and associated with the UE.
  • method(s) and apparatus are provided for use in controlling access to and/or use of one or more applications in a communications network.
  • the communications network including an IMS, an AS, and a plurality of UEs. At least one of the applications is associated with an application profile information.
  • the method(s) and apparatus may be used to query or request whether a UE of the plurality of UEs is authorised to access or use one or more application(s). In order to do this, one or more user control policy(ies) associated with the UE are retrieved, where the user subscription associated with the UE is stored in the network and includes the user control policy(ies).
  • the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the one or more application(s), which may be retrieved/extracted from each application or from a database of applications storing the application profile information.
  • an indication of whether the one or more application(s) are authorised to be accessed by the UE 306 may be provided or sent to the originator of the query/request.
  • FIG. 2 is a flow diagram illustrating an example process performed by an AS according to the present invention.
  • the process defines a method for controlling access to applications in a communications network.
  • the communications network may include an IMS, the AS, and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the steps of the method, performed by the AS are provided as follows:
  • A1 Receive a request message associated with a UE of the plurality of UEs for access to one or more of the application(s). Proceed to A2.
  • A2. retrieve one or more user control policy(ies) associated with the UE, where the user control policy(ies) are included with the user subscription or profile associated with the UE and is stored/maintained in the communication network. Proceed to A3. A3. Determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more application(s). Proceed to A4. A4. Sends, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
  • determining whether one or more application(s) are authorised to be accessed by the UE may further include, for each of the one or more application(s) associated with an application profile information, determining the UE is authorised to access said each application when the application profile information associated with said each application is applied to the user control policy(ies) associated with the UE to provide an output that indicates that the UE is authorised to access said each application.
  • determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the application profile information associated with said each application is applied to the user control policy(ies) associated with the UE to provide an output that indicates the UE is not authorised to access said each application.
  • the user that controls the user control policy(ies) associated with the UE may include one or more rules that authorise the UE to access applications without an application profile information or to not authorise the UE to access applications without an application profile information.
  • applications without an application profile information may be considered less trustworthy than applications in which the developer has taken the time to include an application profile information, therefore, the default policy may be to restrict access to applications for which there is no associated application profile information.
  • the response to the request message may be a simple response that indicates the one or more applications are or are not authorised.
  • the response message may simply be a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s).
  • a response message may be based on a SIP successful response message (e.g. a SIP 2xx message such as a SIP 200 OK message).
  • a SIP 200 OK response message in relation to the request message can be interpreted as an indication that the one or more applications are authorised to be accessed and/or used by the UE.
  • a response message may be based on a SIP client failure response message (e.g. a SIP 4xx response message).
  • a SIP 4xx response message in relation to the request message can be interpreted as an indication that the one or more applications are not authorised to be accessed and/or used by the UE.
  • the request message may be a message transmitted by the UE for requesting access to one or more application(s) for retrieving/downloading the one or more application(s) for installation on the UE.
  • the indication in the response may include sending data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
  • the request to retrieve at least one of the one or more application(s) is a SIP request and the response may be a SIP response.
  • the response may only include the list of applications, and download locations etc., that are authorised to be accessed and used by the UE, such that the UE can have access to only those applications that are authorised to be accessed or used by the UE.
  • the determining may further include generating a list of authorised applications and/or a list of unauthorised applications, and sending as the indication data representative of the generated list of authorised and/or unauthorised applications.
  • receiving the request message may further include receiving an authorisation request associated with the UE from the network or a network entity on behalf of the UE or in response to an application on the UE communicating over the network.
  • the authorisation request includes the identity of the application or each of said one or more application(s) being accessed and/or used by said UE.
  • the AS may respond, in step A4, by sending as the indication data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE.
  • This may be a simple response as described above, or a complex response including a list of all the authorised one or more application(s) that can be accessed and used by the UE and/or a list of all the unauthorised one or more application(s) that should not be access and used by the UE.
  • the network entity may block communication access to the network for the application if the application is not authorised to be used by the UE.
  • the UE may be browsing a web site or application market place, in which the webserver communicates with the AS.
  • the AS may receive a message associated with the UE further includes receiving a request for accessing the one or more application(s), and sending the indication further includes sending data representative of the one or more application(s) authorised to be accessed and/or used by the UE for display to the user of the UE.
  • the webserver may then filter the applications that are displayed on the browser of the UE according to the data representative of the one or more application(s) authorised to be accessed and/or used by the UE. Alternatively, the UE may perform this filtering.
  • the request may take the form of an HTTP request, and the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE. For example, display via the webserver or browser of the UE based on the data representative of the one or more application(s) authorised to be accessed by the UE.
  • the request message may be an authorisation request from the IMS or an IMS core node or network entity and may be triggered by the IMS due to communications over the network by one or more of the application(s) being accessed and/or used on the UE.
  • the RCS 5.1 standard describes two mechanisms for user ' s UE capability exchange: based on SIP OPTIONS and based on Presence (e.g. section 6.2 of the RCS 5.1 standard). These two mechanisms can be used to exchange UE capabilities, including both basic communication services and applications (e.g. IMS CoSe(s) identified by ICSI(s) and applications identified by lARIs).
  • the capabilities of each UE for that user can be aggregated in the network, e.g. within in a Capability exchange AS or capabilities exchange server (CX-AS), which is the Presence Server when using the Presence method and the Options-AS when using the OPTIONS method.
  • the request message may be an authorisation request from a CX-AS in response to a capabilities exchange related to the one or more of the application(s) being accessed and/or used by the UE. That is, the CX-AS receives application identities (e.g. lARIs) of the applications installed on the UE via the capabilities exchange process.
  • application identities e.g. lARIs
  • the CX-AS may then be configured to check whether the applications installed on the UE satisfy the user control policy(ies), and sends an request message or authorisation request message to determine whether the UE can access the one or more applications detected to be installed on the UE due to the capabilities exchange.
  • Step A4 may also include, if one or more applications are not authorised to be accessed on or used by the UE, then those applications may be blocked from communicating with the network, and/or the user controlling the user control policy(ies) may be notified of the unauthorised one or more application(s).
  • step A4 may include, if one or more of the applications are not authorised to be accessed by the UE, then sending a notification message indicating the one or more applications the UE is not authorised to access to another UE of the user authorised to control the user control policy(ies) associated with the UE. This step may also be performed by the entity or apparatus that sent the request message for access to one or more applications.
  • the communication network may further include an application database accessible by the AS.
  • the application database includes a plurality of records, where each record is associated with an application and includes the application profile information associated with said application and/or the application identity (e.g. IARI).
  • the application and application profile information may be submitted to the network operator by the developer of the application, and the network operator approves the application and inserts or updates the record associated with the application and application profile information.
  • Step A3 of determining may further include accessing the application database and retrieving one or more application records based on the user control policy(ies) associated with the UE and the request message for access to one or more applications, the request message may include a list of one or more application identities for use by the step of A3 when determining which application is authorised to be accessed or not by the UE.
  • Determining may further include accessing the application database and retrieving one or more records associated with said applications based on the user control policy(ies) associated with the UE, the request message, and/or the application profile information associated with the one or more applications.
  • retrieving one or more user control policy(ies) associated with the UE may further include retrieving said one or more user control policy(ies) associated with the UE from an AS hosting the user subscription or user profile associated with the UE. This may include retrieving said one or more user control policy(ies) associated with the UE from another AS (e.g. a user control AS) that has access to the user control policy(ies) after the UE registered with the IMS.
  • AS e.g. a user control AS
  • the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) may include parental control information associated with said at least one of the one or more application(s).
  • the present invention may be used for enforcing parental control policies on UEs, without the UEs requiring parental control software and the like. Only those with access to the user subscription or user profile associated with the UE, typically the user that is authorised to set the user control policy(ies),can create/delete/modify/update the user control policies associated with the UE.
  • FIG 3a is a signalling flow diagram of a communication network 300 illustrating an example of controlling access to one or more applications according to the present invention.
  • the communication network 300 includes an IMS core network (CN) 302, a first AS 304, and a UE 306 of a plurality of UEs (not shown).
  • the first AS 304 is configured to control access to the one or more applications in the network 300.
  • At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the AS 304.
  • the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300.
  • the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
  • the user of UE 306 may wish to have access to an application, or one or more application(s).
  • the UE 306 sends a message requesting access to the application or one or more application(s).
  • This request message is sent via the IMS CN 301 to the AS 304.
  • the request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has requested access to.
  • the AS 304 determines, in steps 31 1-312, whether the one or more application(s) are authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with each application that includes such information.
  • the AS 304 retrieves, using the identity of the UE 306, the user control information associated with the UE 306 from the user subscription or profile.
  • the AS determines, for each of the one or more application(s) that have an application profile information (retrieved based on the identity of the one or more applications), whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised.
  • the AS 304 may respond to the request message with a response message providing an indication that all the one or more application(s) are authorised to be accessed and/or used by the UE 306. This response may be a simple success response message (e.g. SIP 200 OK message).
  • the response may be a simple rejection response message (e.g. SIP 4xx message) indicating the at least one of the application(s) is not authorised to be accessed by the UE 306.
  • the response message may also include the details or a list of the application(s) that are authorised to be accessed. This provides the advantage that the UE 306 receives only those application(s) that are authorised to be accessed and/or used by the UE 306. The details may also include links to download locations of the authorised applications.
  • FIG 3b is a signalling flow diagram of the communication network 300 of Figure 3a illustrating another example of controlling access to one or more applications according to the present invention.
  • the communication network 300 includes the IMS core network (CN) 302, the first AS 304, and the UE 306 of the plurality of UEs (not shown).
  • the first AS 304 is configured to control access to the one or more applications in the network 300.
  • At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the AS 304.
  • the first AS 304 is coupled to a second AS 305.
  • the second AS 305 includes user control policy(ies) of each of the UEs that have registered with the IMS CN 302.
  • the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300. It is also assumed that the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
  • the user of UE 306 may wish to have access to an application, or one or more application(s).
  • the UE 306 sends a message requesting access to the application or one or more application(s).
  • This request message is sent via the IMS CN 301 to the AS 304.
  • the request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has requested access to.
  • the AS 304 determines, in steps 31 1 a, 311 b and 312, whether the one or more application(s) are authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with each application that includes such information. In order to do this, in step 31 1 a, the AS 304 retrieves from the second AS
  • step 311 b the second AS 302 sends the UE control policy(ies) to the first AS 304.
  • the AS determines, for each of the one or more application(s) that have an application profile information (retrieved based on the identity of the one or more applications), whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised.
  • the AS 304 may respond to the request message with a response message providing an indication that all the one or more application(s) are authorised to be accessed and/or used by the UE 306.
  • This response may be a simple success response message (e.g. SIP 200 OK message). If one or more of the application(s) are not authorised to be accessed and/or used by the UE 306, then the response may be a simple rejection response message (e.g.
  • the response message may also include the details or a list of the application(s) that are authorised to be accessed. This provides the advantage that the UE 306 receives only those application(s) that are authorised to be accessed and/or used by the UE
  • FIG. 3c is a signalling flow diagram of the communication network 300 illustrating an example process of accessing the user control policy(ies) for use in controlling access to one or more applications according to the present invention.
  • the communication network 300 includes the IMS core network (CN) 302, the UE 306 of the plurality of UEs (not shown), and the second AS 308, which is called a user control AS.
  • the IMS CN 302 includes various IMS CN nodes such as, but not limited to, a P-CSCF, a I- CSCF, a S-CSCF and the HSS/Centralised User Data Base (CUDB).
  • CUDB Centralised User Data Base
  • the user control AS 308 stores user control policy(ies) of each of the UEs that have registered with the IMS CN 302. It is assumed that the user subscription associated with the UE 306 includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
  • UE 306 registers with the IMS CN 302 by sending a SIP REGISTER request message towards the IMS CN 302, which is received by the P-CSCF, then I- CSCF.
  • the IMS CN 302 performs the standard registration procedure for registering UE 306 with the IMS CN 302. This also includes an authentication procedure, which is used to authenticate UE 306 with the network using various authentication protocols.
  • the IMS CN 302 sends SIP 200 OK response message towards the UE 306 indicating the UE has been registered with the IMS CN 302 and may begin communicating over the communication network 300.
  • the S-CSCF is configured to send a SIP REGISTER request message associated with UE 306 to the user control AS 308.
  • the user control AS 308 sends a SIP RESPONSE message to S-CSCF acknowledging the SIP REGISTER request message.
  • the user control AS 308 requests or pulls (e.g. SH-PULL) the user control policy(ies) associated with UE 306 from the user subscription/profile associated with UE 306 from HSS/CUDB node.
  • the Sh interface can be used to exchange user subscription or user profile information (e.g., user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between an AS and the HSS.
  • the HSS/CUDB In response to the user control policy(ies) request, the HSS/CUDB sends the user control policy(ies) associated with UE 306 to the user control AS 305.
  • the user control policy(ies) may define one or more rules and/or policy(ies) that the user that controls the user control policy(ies) would like to enforce to authorise or unauthorised access by the UE to various content such as applications during, among other things, browsing/downloading/purchasing/installing and executing and/or viewing such applications or content for particular one or more UEs associated with the user's user subscription or profile.
  • the user control policy(ies) may include personal data, authorization rules, parental contact information, parental control policy(ies) or rule(s).
  • the user control AS 308 On receiving the user control policy(ies), the user control AS 308 stores the user control policy(ies) associated with the UE 306 for use when the first AS 304 determines whether the UE 306 is authorised to access or use one or more application(s) as described, for example, with reference to figures 2 and 3a-3b. Now that the UE 306 has registered with the IMS CN 302, this now means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communication network 300.
  • FIG. 3d is a signalling flow diagram of the communications network 300 illustrating a further example process of controlling access to one or more applications according to the present invention.
  • the communication network 300 includes the IMS CN 302, the first AS 304, and the UE 306 of the plurality of UEs (not shown).
  • the first AS 304 is configured to control access to the one or more applications in the network 300.
  • At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the first AS 304. It is also assumed that the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300.
  • the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
  • the user of UE 306 has managed to download and install an application on the UE 306.
  • the user of UE 306 proceeds to use the application.
  • the application starts to communicate with the communication network 300 (e.g. the application may communicate with a webserver or server associated with the application to download/access content etc.)
  • the IMS CN 302 detects the application's communications over the communication network 300.
  • the IMS CN 302 or a network node or entity in the IMS CN 302 is triggered to send an authorisation request message to the first AS 304 for requesting whether the application is authorised to be accessed and/or used by the UE 306.
  • the request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has accessed or is using.
  • the first AS 304 determines, in steps 321-322, whether the application is authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with the application.
  • the first AS 304 retrieves, using the identity of the UE 306, the user control information associated with the UE 306 from the user subscription or profile of the second AS or user control AS (not shown).
  • the AS determines whether the application profile information of the application when applied to the user control policy(ies) provides an output that indicates that the application is authorised or is not authorised. In this example, it is assumed that the application is not authorised for access or use by UE 306. Given this, in step 323, the AS 304 may respond to the authorisation request message by sending a response message to the IMS CN 302 providing an indication that the application is not authorised to be accessed and/or used by the UE 306.
  • the response may be a simple rejection response message (e.g. SIP 4xx message) indicating the at least one of the application(s) is not authorised to be accessed by the UE 306.
  • the IMS CN 302 in step 324 may proceed to block the application's communication with the communication network 300, preventing it from operating properly.
  • either the IMS CN 302 or the first AS 304 may notify the user controlling the user control policy(ies) that the UE 306 is accessing or using an unauthorised application. This controlling user may then follow-up with the user of the UE 306 to have the unauthorised application removed from the UE 306.
  • the controlling user may decide the application can be authorised and may update/modify the user control policy(ies) associated with the UE 306 such that the application will be an authorised application for the UE 306 to access and/or use.
  • the AS 304 may send a simple success response message (e.g. SIP 200 OK message) to the IMS CN 302.
  • a simple success response message e.g. SIP 200 OK message
  • the IMS CN 302 allows the application to proceed to use the communication network 300 accordingly.
  • Figure 4a is a signalling flow diagram of another communication network 400 illustrating an example process of controlling access to one or more applications according to the present invention.
  • the communication network 400 includes an IMS CN 402, an AS 404 coupled to an application database 405, and a UE 406 of a plurality of UEs (not shown).
  • the AS 404 is configured to control access to the one or more applications in the network 400.
  • the application database 405 may be accessible by the AS 404.
  • the application database 405 includes a plurality of records, where each record is associated with an application and may include application profile information associated with said application and/or the application identity (e.g. IARI) associated with the application. Not all records for applications will have an application profile information as this will be provided by the developer of the application.
  • the application and application profile information may be submitted to the network operator by the developer of the application, and the network operator may approve the application and inserts or updates the application database 405 and record associated with the application and application profile information.
  • Application database 405 may be stored within AS 404 or within another AS or network entity in the network 400.
  • the UE 406 has registered with the IMS CN 402, which means the UE 406 has been authenticated by the IMS CN 402 and has been granted access to communicate over the communication network 400.
  • the user subscription associated with the UE 406 includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies) associated with the UE 406.
  • the user control policy(ies) associated with the UE may also include details of the user or user(s) of the UE, for example, the age of the user, gender, religion, parent contact details, parental control information or rules etc.
  • the user control policy(ies) associated with UE 406 may include parental control policies, which are enforced when the user of UE 406 browses and downloading/purchase applications (e.g. RCS applications).
  • the user of UE 406 may be a child and the user controlling the user control policy(ies) associated with UE 406 is the child's parent.
  • the invention relies on authentication in the communication network (e.g. IMS network authentication) and on the user control policy(ies) that includes information about the user, which is provided by the network 400.
  • the enforcement of the parental control policies may be performed based on, among other information, the IMS Application Reference Identifier (IARI) of the application(s) in the network 400, application profile information of the application(s) in the network 400, and on the user control policy(ies) associated with the UE 406. Since the network 400 is aware of the user's or subscriber's personal data (e.g. age of the user of UE 406 etc.), specific applications that do not meet the enforcement requirements of the parental control policies or of the user control policy(ies) in general will be inaccessible to the user of UE 406.
  • IARI IMS Application Reference Identifier
  • the enforcement provided by the invention will ensure specific applications that are not suitable for underage persons will be restricted.
  • the application and application profile information may be submitted to the network operator by the developer of the application, the application developer will register their application and may declare it is suitable for users over 18 years old. Note, that the application profile information should probably be judged together with the service provided and maybe a public regulator.
  • the network operator may also approve the application profile information associated with the application. Once approved, the application profile information and application are inserted or updated to the application database 405 and record associated with the application and application profile information. There are various situations in which applications should be restricted, authorised or not authorised.
  • the user of UE 406 when the user of UE 406 is browsing an application market website, the user will be restricted to only seeing applications that are suitable for their age, (e.g. this assumes the user control policy(ies) include the age of the user or other parental control rules/policies etc.). This means the applications will be filtered such that the user of UE 406 will not view the applications that are not suitable for their age. It is assumed that the application market site, (e.g. the equivalent to the Android or Apple market but for IMS/RCS applications) belongs to the operator or the operator of the communication network. As another example, the user will see only the games, sharing tool applications and other application content that are suitable for their age. In operation, the user of UE 406 registers with the IMS CN 402.
  • the application market site e.g. the equivalent to the Android or Apple market but for IMS/RCS applications
  • the user control policy(ies) is retrieved from the user subscription or user profile information during registration of the UE 406.
  • the user control policy(ies) may include parental control policies and other personal information of the user, (e.g. the age of the user).
  • the user control policy(ies) is made available to the AS 404, which may be an Application Market-AS or website and/or to the UE via a 3rd party registration.
  • the AS 404 may include, in the application Market website, an application catalogue, which UEs may have access to so users may browse the application catalogue on their browsers.
  • the user control policy(ies) may include parental control information about age of the user, parent contact address or UE, which can be retrieved from the user subscription and/or profile stored in the HSS ( + CUDB) via Sh.
  • the Sh interface can be used to exchange user subscription or user profile information (e.g., user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between an AS and the HSS.
  • user subscription or user profile information e.g., user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.
  • the UE 406 sends an HTTP request to the AS 404 requesting access to the application catalogue, which includes one or more application(s).
  • This request message is sent via the IMS CN 402 to the AS 404.
  • the AS 404 receives the HTTP request from UE 406, which may include the identity of the UE 406 and a request for access to the application catalogue.
  • the AS 404 determines, in steps 41 1-412, whether one or more application(s) in the application catalogue are authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with each application in the application catalogue that includes such information.
  • the AS 404 retrieves the user control policy(ies) associated with the UE 406, which may be stored in the AS 404 as the AS 404 may have retrieved this information when UE 406 registered with the IMS CN 402.
  • the AS 404 may retrieve the user control policy(ies) associated with the UE 406 from another AS that is configured to store user control policy(ies) when UEs register with the IMS CN 402 or directly from the HSS/CUDB that stores the user subscription or profile associated with the UE.
  • the AS 404 determines, for each of the one or more application(s) that have an application profile information whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised.
  • the AS 404 retrieves the application profile information for each of the applications based on the identity of the applications from the application database 405.
  • the AS 404 compiles data representative of all the application(s) in the application catalogue that are authorised to be accessed and/or used by the UE 406, such that only authorised applications will be shown to the user as the user browses the application catalogue.
  • the AS 404 may respond to the HTTP request message with an HTTP response message providing an indication of the authorised applications that can be accessed and/or used by the UE 406.
  • the HTTP response message includes the necessary details to allow the user of UE 406 to browse the authorised applications in the application catalogue of the AS 404. This provides the advantage that the UE 406 receives only those application(s) that are authorised to be accessed and/or used by the UE 406, and that the user of the UE 406 can only view, browse, download/purchase such authorised applications.
  • the AS application Market does not display the applications that are not suitable for the user ' s age, or the applications that do not fulfil the user control policy(ies).
  • Figure 4b is a signalling flow diagram of the communication network 400 of Figure 4a illustrating another example process of controlling access to one or more applications according to the present invention.
  • the communication network 400 includes the IMS CN 402, the AS 404 coupled to the application database 405, and the UE 406 of the plurality of UEs (not shown).
  • the AS 404 is configured to control access to the one or more applications in the network 400.
  • the AS 404 may be coupled to a user control AS 408.
  • the AS 404 is a Market AS 404 that includes the user control AS 408.
  • the Market AS 404 may include a market website and/or an application catalogue for use by the UE 406 when the user browses the application catalogue on the Market AS 404.
  • the user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and Figure 4a.
  • the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408.
  • the operation is similar to that described with reference to Figure 4a.
  • the UE 406 When the user of UE 406 is browsing an the application catalogue on Market-AS 404, in step 420, the UE 406 sends an HTTP request to the Market-AS 404 requesting access to the application catalogue, which includes one or more application(s).
  • the Market-AS 404 receives the HTTP request from UE 406, and determines, in steps 421-422, whether one or more application(s) in the application catalogue are authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with each application in the application catalogue that includes such information.
  • the Market-AS 404 retrieves the user control policy(ies) associated with the UE 406 from user control AS 408.
  • the Market-AS 404 determines, for each of the one or more application(s) that have an application profile information whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised.
  • the Market-AS 404 also retrieves the application profile information for each of the applications based on the identity of the applications from the application database
  • the Market-AS 404 compiles data representative of all the application(s) in the application catalogue that are authorised to be accessed and/or used by the UE
  • the Market-AS 404 responds to the HTTP request message with an HTTP response message providing an indication of the authorised applications that can be accessed and/or used by the UE 406.
  • the HTTP response message includes the necessary details to allow the user of UE 406 to browse the authorised applications in the application catalogue of the Market-AS 404. This provides the advantage that the UE 406 receives only those application(s) that are authorised to be accessed and/or used by the UE 406, and that the user of the UE 406 can only view, browse, download/purchase such authorised applications.
  • the Market- AS 404 does not display the applications that are not suitable for, by way of example, the user ' s age, or the applications that do not fulfil the user control policy(ies).
  • the user of UE 406 may get a direct link to an unauthorised application via other means (e.g. email, chat rooms etc.).
  • the user of UE 406 may attempt to access and download or retrieve the application from the direct link, which is a direct link to the Market AS 404.
  • the HTTP request message is a request for accessing the application via the direct link, which identifies the application to download.
  • the Market-AS 404 receives the HTTP request from UE 406, it performs the steps 421-422 as it did previously, to determine whether the application associated with the direct link is authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with the application based on the direct link.
  • FIG. 4c is a signalling flow diagram of the communication network 400 of figures 4a and/or 4b illustrating another example process of controlling access to one or more applications according to the present invention.
  • the communication network 400 includes the IMS CN 402 coupled to the user control AS 408, where the user control AS 408 also coupled to the application database 405, and the UE 406 of the plurality of UEs (not shown).
  • the user control AS 408 may be located within a network entity/node of the IMS CN 402, similarly the application database may be located within the user control AS 408 or within another AS within the network 400.
  • the user control AS 408 is configured to control access to the one or more applications in the network 400.
  • the user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and Figure 4a.
  • the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408.
  • the user of UE 406 manages to install an unauthorised application in the UE 406 (e.g. hacking the terminal).
  • the network 400 is configured to stop any attempt to communicate using the unauthorised application.
  • the application may send a SIP request when it starts to communicate over the communication network 400.
  • the IMS CN 402 detects this communication, and the IMS CN 402 or an AS or network entity (not shown) in the IMS CN 402 is configured, in steps 430-433, to determine whether the application is authorised using user control AS 408 and database 405.
  • the user control AS 408 may be configured to determine whether the application is authorised to be used by the UE 406.
  • the IMS CN 402 retrieves the user control policy(ies) associated with the UE 406 from user control AS 408.
  • the IMS CN 402 (or user control AS 408), in step 431 , retrieves, using the IARI from the SIP request message to identify the application, the application profile information associated with the application via user control AS 408 and the application database 405.
  • the IMS CN 402 (or user control AS 408) uses the user control policy(ies), the application profile associated with the application, to determine whether the UE 406 is authorised to access or use the application.
  • the application is assumed to be an unauthorised application.
  • the IMS CN 402 (or user control AS 408) sends an error message (e.g.
  • Error(not authorized) message) to UE 406 or the application on the UE 406 indicating it is not authorised, or indicating that it cannot access the communication network 400.
  • the communication by the application may then stopped or blocked by the IMS CN 402 based on the IARI in the request.
  • a notification can be sent to the parent or user authorised to control the user control policy(ies) that the UE 406 is not authorised to use this particular application.
  • a CX-AS (not shown) is configured to either perform the functionality of the AS(s) according to the invention as described with respect to figures 2 to 4c to determine whether each of the application(s) is authorised to be accessed or used by the UE 406.
  • the CX-AS may send a request on behalf of the UE 406 requesting whether access to the one or more applications in the list of capabilities are authorised to be accessed or used by the UE 406 as described with reference to figures 2 to 4c.
  • the CX-AS receives a response or determines the applications that are unauthorised and removes those lARIs from the list of capabilities and optionally informs the parent or user authorised to control the user control policy(ies).
  • Figure 4d is a signalling flow diagram of the communication network 400 of figures 4a and/or 4b illustrating another example process of controlling access to one or more applications according to the present invention.
  • the communication network 400 includes the IMS 402, a user control AS 408 (or HSS), an application database or server 405 and the UE 406 of the plurality of UEs (not shown).
  • the UE 406 includes the functionality of an apparatus 406a that is configured to control access to the one or more applications in the network 400.
  • the apparatus 406a may be independent of the UE 406, for example, a network entity may be configured to include the functionality of the apparatus 406a.
  • the user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and/or Figure 4a.
  • the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408.
  • the application database 405 may be located within or coupled to the user control AS 408 or the application database 405 may be located within or coupled another AS/network entity/node (not shown). In this example, the application database 405 is coupled to the user control AS 408.
  • the apparatus 406a is triggered to perform a determination of whether the UE 406 may access and/or use one or more of the application(s).
  • the apparatus 406a may be triggered by detecting whether the UE 406 is attempting to browse or access one or more application(s), download one or more application(s), install one or more application(s), or even access or use one or more application(s).
  • the apparatus 406a performs step 441 and retrieves one or more user control policy(ies) associated with the UE 406, where the user subscription or profile associated with the UE 406 may be stored in the network and includes the user control policy(ies).
  • retrieving the user control policy(ies) may include reading the user control policy(ies) from memory/storage of the UE 406, or retrieving the user control policy(ies) from the network or the user subscription associated with the UE 406.
  • the user control policy(ies) associated with the UE 406 are retrieved from the user control AS 408.
  • the apparatus 406a After retrieving the user control policy(ies), the apparatus 406a performs step 442 to retrieve application profile information associated with at least one of the one or more application(s).
  • the application profile information associated with at least one of the one or more application(s) is retrieved from the application database 405 via the user control AS 408.
  • the apparatus 406a is then configured to perform step 443 and determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications.
  • the apparatus is then configured to perform step 444, and indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE.
  • This may involve displaying a message to the user as to whether the one or more application(s) are authorised to be used by the UE. For example, a message may be displayed to the user that the user of UE 406 has attempted to access/use one or more unauthorised application(s). For any authorised application(s), the user need not be notified and the indication is simply a trigger allowing the authorised application(s) to be used normally. Any authorised applications may simply be used. Alternatively or additionally, the use of any unauthorised application(s) may be blocked or the communications by such application(s) blocked by the UE 406. Further, the parent or user authorised to control the user control policy(ies) may be notified that there are unauthorised application(s) that have been accessed or used on UE 406.
  • determining whether one or more application(s) are authorised to be accessed by the UE 406 may further include, for each of the one or more application(s) associated with application profile information, determining the UE 406 is authorised to access and/or use said each application when the user control policy(ies) associated with the UE 406 is applied to the application profile information associated with said each application indicating the UE 406 is authorised to access said each application.
  • determining whether one or more application(s) are authorised to be accessed by the UE 406 may further include, for each of the one or more application(s) associated with application profile information, determining the UE 406 is not authorised to access and/or use said each application when the user control policy(ies) associated with the UE 406 is applied to the personal information associated with said each application indicating the UE 406 is not authorised to access said each application. Additionally, step 443 may further include, for an application not associated with any application profile information, determining the UE 406 is authorised to access and/or use said application. Alternatively, step 443 may also further include, for an application not associated with any application profile information, determining the UE 406 is not authorised to access said application.
  • the application database 405 may be accessible by the apparatus 406a, e.g. accessible via another AS, where the application database 405 may include a plurality of records stored therein, where each record is associated with an application and includes the application profile information associated with said application.
  • the apparatus 406a may retrieve one or more application profile information associated with corresponding one or more applications.
  • at least one of the one or more application(s) may include application profile information and, in step 442, retrieving the application profile information further includes extracting the application profile information from said at least one of the one or more application(s).
  • the application profile information may be included in the installation file of the application, or in a header associated with the data representative of the application, for stored in the application in any other form.
  • the application profile information for an application may be retrieved directly from the developer of the application.
  • retrieving the one or more user control policy(ies) associated with the UE 406 may further include retrieving said one or more user control policy(ies) associated with the UE from a subscriber server (e.g. an HSS) or an AS hosting the user subscription or user profile associated with the UE.
  • the user control policy(ies) includes one or more parental control policy(ies) associated the UE 406 and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
  • the UE 406 may include the UE 406 including the functionality according to the invention in the operating system of the UE 406, or the functionality according to the invention in an installer application on the UE 406, or any other application.
  • the UE 406 may be configured, for sending, to an AS for controlling access to one or more applications according to the invention, one or more request(s) for whether any installed one or more applications on the UE 406 are authorised to be accessed or used by the UE 406. Therefore, in case the user of UE 406 manages to get the installer file of an unauthorised application, the UE 406 will check whether the application is authorised and, if not, will reject the installation.
  • the UE 406 may be configured to perform the functionality of the AS for controlling access to one or more applications according to the invention and as described herein, whereby the UE 406 only requests the user control policy(ies) from the user control AS or directly from the HSS, and/or requests application profile information from a database 405 or parses the installation file for the application to determine whether any application profile information is present. Using this information, the UE 406 may be able to determine whether one or more application(s) installed on the UE 406 are authorised or not. The UE 406 may then refuse to install the application(s) or the UE 406 may uninstall the applications. Optionally, the UE may notify the user authorised to control the user control policy(ies).
  • FIG. 5 is a schematic illustration of an example apparatus 500 according to the invention.
  • the apparatus may be for use in controlling access to applications in the communications network.
  • the communications network includes an IMS, an AS and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the apparatus 500 may include the functionality of a processor 501 , receiver 502, transmitter 503 and memory 504, the processor 501 being coupled to the receiver 502, the transmitter 503 and the memory unit 504.
  • the memory unit 504 may contain instructions executable by said processor 501.
  • the transmitter 503 is configured to transmit a message to the AS for access to one or more of the application(s).
  • the receiver 502 is configured to receive, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information.
  • the user subscription or profile may be associated with the UE that is stored in the network includes the user control policy(ies).
  • the apparatus 500 may be configured to be used in a UE, associated with a UE, or used in a network entity operating on behalf of the UE.
  • the apparatus 500 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
  • the apparatus 500 may be configured for use in controlling access to applications in the communications network.
  • the communications network including the IMS and the plurality of UEs, where at least one of the applications is associated with application profile information.
  • the apparatus 500 may include the functionality of a processor 501 , receiver 502, transmitter 503 and memory 504, the processor 501 being coupled to the receiver 502, the transmitter 503 and the memory 504.
  • the memory 504 containing instructions executable by said processor 501.
  • the processor 501 may be configured to trigger the apparatus 500 to determine whether a UE associated with the apparatus may access and/or use one or more of the application(s).
  • the processor 501 or receiver 502 and transmitter 503 may be further configured to retrieve one or more user control policy(ies) associated with the UE.
  • the processor 501 or receiver 502 and transmitter 503 may be further configured to retrieve application profile information associated with at least one of the one or more application(s). These may be retrieved from memory 504 in apparatus 501 (e.g. from a previous determination session) or from the network.
  • the processor 501 may be further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications.
  • the processor 501 is further configured to indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE. Additionally or alternatively, the apparatus 500 may be configured to be used in a UE, associated with a UE, or used in a network entity operating on behalf of the user. The apparatus 500 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
  • Figure 6 is a schematic illustration of an example AS 600 according to the invention The AS 600 may be for use in controlling access to applications in a communications network.
  • the communications network including an IMS, and a plurality of UEs. At least one of the applications is associated with an application profile information.
  • the AS 600 may include the functionality of a processor 601 , receiver 602, transmitter 603 and memory 604, the processor 601 being coupled to the receiver 602, the transmitter 603 and the memory unit 604.
  • the memory unit 604 containing instructions executable by said processor 601.
  • the processor 601 and/or receiver 602 may be configured to receive a message associated with a UE of the plurality of UEs for access to one or more of the application(s).
  • the processor 601 or receiver 602 and transmitter 603 may be further configured to retrieve one or more user control policy(ies) associated with the UE. These may be retrieved from memory unit 604 in AS 600 (e.g. from a previous determination session) or from the network.
  • the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies).
  • the processor 601 of AS 600 may be further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications.
  • the processor 601 and/or transmitter 603 of AS 600 is configured to send, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
  • the AS 600 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
  • FIG. 7 is a schematic illustration of an example network entity or AS 700 (e.g. an IMS CN Node) according to the invention.
  • the network entity or AS 700 is for use in controlling access to applications in a communications network.
  • the communications network including an IMS, a second AS and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the network entity or AS 700 may include the functionality of a processor 701 , receiver 702, transmitter 703 and memory 704, the processor 701 being coupled to the receiver 702, the transmitter 703 and the memory 704.
  • the memory 704 containing instructions executable by said processor 701.
  • the processor 701 and/or transmitter 703 of said network entity or AS 700 may be configured to transmit an authorisation request (or a request) associated with a UE of the plurality of UEs to the second AS.
  • the authorisation request includes the identity of each of said one or more application(s) being accessed or used by said UE.
  • the processor 701 and/or receiver 702 of the network entity or AS 700 is further configured to receive, from the second AS, data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile information.
  • the user subscription or user profile associated with the UE can be stored in the network and includes the user control policy(ies).
  • the AS 700 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
  • Figure 8 is a schematic illustration of an example user control AS 800 according to the invention.
  • the user control AS 800 is for use in controlling access to applications in a communications network.
  • the communications network including an IMS, an AS associated with the applications, and a plurality of UEs, where at least one of the applications is associated with an application profile information.
  • the user control AS 800 may include the functionality of a processor 801 , receiver 802, transmitter 803 and memory unit 804, the processor 801 being coupled to the receiver 802, the transmitter 803 and the memory unit 804.
  • the memory unit 804 containing instructions executable by said processor 801.
  • the processor 801 and/or receiver 802 of said user control AS 800 may be configured to detect IMS registration of a UE from the plurality of UEs.
  • the processor 801 and/or receiver 802 and transmitter 803 of said user control AS 800 may be configured to retrieve user control policy(ies) associated with the UE from the user subscription or profile associated with the UE. These may be retrieved from memory unit 804 in AS 800 (e.g. from a previous determination session) or from the network (e.g. from an HSS).
  • the user control policy(ies) are stored or associated with the user subscription or profile associated with the UE.
  • the processor 801 and memory unit 804 of the user control AS 800 may be further configured to store the user control policy(ies) associated with the UE.
  • the processor 801 and/or receiver 802 of the user control AS 800 may be configured to receive a request for the user control policy(ies) associated with the UE from the AS associated with the applications.
  • the processor 801 and/or transmitter 803 of the user control AS 800 may be further configured to transmit, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
  • the user control AS 800 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
  • the servers, UEs, network entities, apparatus and computing systems as described herein each may perform the methods and processes as described herein.
  • the processors of such systems are configured to execute computer program instructions based on the methods and processes described herein, such instructions being contained in a computer-readable medium or non-transitory computer readable medium, such as memory.
  • the computer program instructions may be read into memory from another computer-readable medium or from another device via a communication interface.
  • the instructions contained in memory cause the processor of a client device, reputation system, server, or other such computer system to perform processes or methods as described herein.
  • a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out one of more of the method(s) as described or the functionality of the servers, UEs, network entities, and apparatus as described.
  • a carrier may be provided containing the computer program as described, where the carrier is one of an electronic signal, optical signal, radio signal, non-transistory computer readable medium, or computer readable storage medium.
  • hardwired circuitry may be used in place of or in combination with the computer program instructions to implement processes and methods consistent with the present invention.
  • Examples of hardware circuitry may include, but are not limited to, semiconductor chips, integrated circuits, field programmable gate arrays, application-specific integrated circuits, electronically programmable integrated circuits and the like. Thus, the present invention is not limited to any specific combination of hardware circuitry and/or software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Method(s) and apparatus are provided for use in controlling access to and/or use of one or more applications in a communications network300. The communications network 300 includes an Internet Protocol Multimedia Subsystem 302, an application server (AS) 304, and a plurality of user equipments (UEs). At least oneof the applications is associated with an application profile information. The method(s) and apparatus are used to query whether a UE 306 of the plurality of UEs is authorised to access or use one or more application(s). In order to do this, one or more user control policy(ies) associated with the UE 306are retrieved, where the user subscription associated with the UE306that is stored in the network 300 includes the user control policy(ies). It is then determinedwhether the one or more application(s) are authorised to be accessed by the UE 306 based on the user control policies associated with the UE (306; 406) and the application profile information associated with at least one of the one or more application(s), which may be retrieved from each application or from a database of applications. In response to the request message, an indication of whether the one or more application(s) are authorised to be accessed by the UE306 may be provided or sent.

Description

Application User Control
Technical Field
The present invention relates to methods and apparatus for controlling user equipment access to and/or use of one or more application(s) in a communications network.
Background
The IP Multimedia Subsystem (IMS) is the technology defined by the Third Generation Partnership Project (3GPP) to provide IP Multimedia services over mobile communication networks. IP Multimedia services provide a dynamic combination of voice, video, messaging, data, etc. within the same session.
The IMS makes use of the Session Initiation Protocol (SIP) to set up and control calls or sessions between user terminals. The Session Description Protocol (SDP), carried by SIP signals, is used to describe and negotiate the media components of the session. Whilst SIP was created as a user-to-user protocol, the IMS allows operators and service providers to control user access to services and to charge users accordingly.
Figure 1 illustrates schematically how the IMS fits into the mobile network architecture in the case of a General Packet Radio Service (GPRS) communication network. As shown in Figure 1 , a control of communications occurs at three layers (or planes). The lowest layer is the Connectivity Layer 1 , also referred to as the bearer plane and through which signals are directed to/from user equipment (UE) accessing the network. The entities within the connectivity layer 1 that connect an IMS subscriber to IMS services form a network that is referred to as the IP-Connectivity Access Network, IP- CAN. The GPRS network includes various GPRS Support Nodes (GSNs). A gateway GPRS support node (GGSN) 2 acts as an interface between the GPRS backbone network and other networks (radio network and the IMS network). The middle layer is the Control Layer 4, and at the top is the Application Layer 6.
The IMS 3 includes a core network 3a, which operates over the middle, Control Layer 4 and the Connectivity Layer 1 , and a Service Network 3b. The IMS core network 3a includes nodes or network entities that send/receive signals to/from the GPRS network via the GGSN 2a at the Connectivity Layer 1 and network nodes that include Call/Session Control Functions (CSCFs) 5, which operate as SIP proxies within the IMS in the middle, Control Layer 4. The 3GPP architecture defines three types of CSCFs: the Proxy CSCF (P-CSCF) which is the first point of contact within the IMS for a SIP terminal; the Serving CSCF (S-CSCF) which provides services to the user that the user is subscribed to; and the Interrogating CSCF (l-CSCF) whose role is to identify the correct S-CSCF and to forward to that S-CSCF a request received from a SIP terminal via a P-CSCF. The top, Application Layer 6 includes the IMS service network 3b. Application Servers (ASs) 7 are provided for implementing IMS service functionality.
The Home Subscriber Server (HSS) (also known as a Home Location Register (HLR), User Profile Server Function (UPSF), centralised user database (CUDB) or master user database) is a subscriber server or user database that stores user subscription information or user profile information associated with UEs within the communication network. For IMS network entities/nodes/ASs, the HSS supports call handling, authentication and authorization of the UEs and/or users, and can provide information about a subscriber's/user's location and IP information. The Sh interface may be used to exchange user subscription or user profile information (e.g. user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between network entities/nodes/ASs and the HSS.
The UE may comprise or represent any device used for communications. Examples of UE that may be used in certain embodiments of the described network(s) are wireless devices such as mobile phones, terminals, smart phones, portable computing devices such as laptops, hand-held devices, tablets, net books, computers, personal digital assistants and other wireless communication devices, or wired communication devices such as telephones, computing devices such as desktop computers, set-top boxes, and other fixed communication devices.
Communication networks may comprise or represent any network used for communications with UEs connected to the communications network. Examples of communications networks include, but are not limited to, wireless networks such as the Worldwide Interoperability for Microwave Access (WiMAX), wireless local area networks (WLAN) based on the Institute of Electrical and Electronics Engineers' (IEEE) 802.11 standards e.g. Wi-Fi networks, or Internet Protocol (IP) networks, packet- switched networks or enhanced packet switched networks, telecommunication networks, IMS networks or networks supporting IMS, or communications networks based on wireless, telecommunication, cellular or satellite technologies such as mobile networks, Global System for Mobile Communications (GSM), GPRS networks, Wideband Code Division Multiple Access (W-CDMA), CDMA2000 or Long Term Evolution (LTE)/LTE Advanced networks or any 2nd, 3rd or 4th Generation and beyond type communication networks.
Rich Communications Services (RCS) (also known as Rich Communications Suite services) is a platform for enabling network operators to deliver communication experiences beyond voice and short-message-services (SMSs). RCS relies on IMS core network for session control and service establishment as specified by the 3GPP. RCS can provide consumers with instant messaging or chat, live video, applications (e.g. games, chat-based games, multimedia and news services, mobile learning, smart ads and promotions, etc.), and file sharing across devices, on any network. RCS may also enable network operators to generate new revenue streams through the creation of applications (apps) and business-to-business (B2B) services. RCS can facilitate IMS end-user services deployment, and so may also facilitate IMS basic communication services (IMS CoSe), which are identified by an IMS communication service identifier (ICSI), and applications, which are identified by an IMS application reference identifier (IARI). Network operators are deploying RCS to ensure their service retains relevance for users and keeping them connected, while at the same time offering solutions and alternative products and applications to third-party over the top (OTT) application providers/markets. OTT application provides/markets may include the Google Android Market (e.g. Google Play), Apple iTunes App Store, and Windows (Microsoft) App Store. Network operators may also develop App stores that may contain network operator specific applications and/or third party applications (e.g. RCS applications) that users can browse/download/purchase and install on their UEs.
In todays connected world, it is now possible for users to have access to multiple sources of applications and content from OTT application markets and/or RCS App stores. For example, most used OTT application markets include Google Android Market (Google Play) (RTM), Apple iTunes App Store (RTM), and Windows App Store (RTM), which host a myriad number of applications for use with UEs compatible with each application market place, e.g. an Android (RTM) phone user may use Google Play (RTM) to download applications, an iPhone (RTM) user may use the Apple iTunes App Store (RTM) and a Windows (RTM) phone user may use the Wndows App Store (RTM). However, users do not really have any control over what types of applications they have access to on the OTT markets. For example, an application that is offensive to one user may not be offensive to another user, but if the application is listed on an application market it will be shown to all users when they browse/search through the myriad of applications in the market.
This issue is further execrated for users with multiple UEs tied to the same user subscription or profile. For example, a family may have one user subscription with multiple UEs associated with the user subscription, which allows each UE to be distributed among the family members, e.g. the parents may each have a UE and each child in the family may have a UE, in which all UEs are associated with a user subscription that is controlled and paid for by the parents. Alternatively, a company may provide employees with UEs that may be tied to one or more company user subscriptions or profiles, where the company pays for the charges incurred for the employee's use of the UE. In both scenarios the controlling users, e.g. the parents or the company, may need to control the content and applications that are used on the UE.
For example, parents typically provide children with UEs so they may be contacted in an emergency. However, giving a child a UE can also expose the child to the OTT application market and other App stores. For example, there may be applications available for the UEs with adult content (e.g. rated for > 18 years old). Although the application may display a text box asking the user of the UE whether they are an adult, if the user of the UE is a child, they can simply answer in the affirmative to gain access to the application and the related adult content. Alternatively, the application may use in-app purchases, or require a subscription, or is simply payment for downloading the application, which could be charged to the account associated with the user subscription or user profile associated with the UE. Although the OTT application market and/or applications themselves may provide warnings when payment may be required, it is typically all too easy for anyone using the UE to reply in the affirmative to gain access to the application. Although adults may be able to keep track of such expenses, children are typically unaware of the costs associated with applications, which may result in unexpectedly large bills from the network operator for applications a child may access/download/install and use on their UE. Basically, there is no control or real check on the information a user may provide or on the applications a user of a UE may have access to. Other solutions may be required. Similarly, companies may provide their employees with company UEs for their day-today work. However, by giving an employee a UE the company has to trust that the employee will use the company UE appropriately. For example, there may be applications available for the UE with adult content (e.g. rated for > 18 years old). These applications are inappropriate for company UEs, for example, the company may become liable should an employee download and use such applications on the company UE, or the employee may be dismissed. Alternatively, the application may use in-app purchases, or require a subscription, or is simply payment for downloading the application, which could be charged to the company UE account associated with the user subscription or user profile associated with the UE. Although the OTT application market and/or applications themselves may provide warnings when payment may be required, it is typically all too easy for anyone using the UE to reply in the affirmative to gain access to the application. This may result in unexpectedly large bills from the network operator for applications an employee may access/download/purchase/install and use on their UE. Furthermore, the company's Information Technology policy may require that only approved applications are installed on a company UE, however, once a company UE is provided to an employee, it is difficult for the company to enforce their IT policy(ies). Basically, there is no control or real check on the information a user may provide or on the applications a user of a UE may have access to. Other solutions may be required.
One such solution may be parental control applications or user control software that may be explicitly installed on a UE. These are applications or software that allow parents (or even companies) to configure which applications the children or employees can download and use. But each of the UEs provided to children or employees are required to be configured appropriately. For example, Google Play (RTM) has a parental control application called Android (RTM) Parental Control (e.g., see https://play. google. com/store/apps/details?id=com.vlobe.smartappcloud. android. parent alcontrol&hl=es). This application allows the parent to select a list of applications that are allowed to be used on a UE among the installed applications. Another example is Google Play's (RTM) Kids Place (e.g., see https://play. google. com/store/apps/details?id=com.kiddoware.kidsplace), which is an application with parental controls and child locks to prevent children from downloading new applications, allows only approved applications to be downloaded, prevents telephone calls to be made, or texting or performing other actions on the UE. This application can prevent the children to download or purchase new applications. However, parental control applications or user control software installed on UEs have several drawbacks. These types of applications need to be configured per UE. That is the parent has to understand the application and take the time to configure the UE. The company will need to configure each of the UEs for the workforce that has a company UE, this can be a complex, expensive, and time-consuming process. In addition, the configuration of each UE must be changed if the list of restricted or allowed applications changes. Another drawback is that the parental control application of user control software is typically visible; therefore the user can see and are reminded all the time that they are being restricted. Further, if the user swaps device or manages to uninstall the parental control application the restriction rules disappear. There does not seem to be efficient, secure, or easy to use parental control application or user control software available in the current OTT application markets.
The user control or parental control applications and mechanisms currently available are both unreliable, difficult to use and enforce, have a low level of security, which may lead to increased cost and irreparable harm to young users (children) and increased costs to companies to configure and enforce company UEs. There is a desire to remove the inherent problems associated with OTT application markets and improve the control of applications a UE may access and use by providing a more reliable, cost effective, easy to use, mechanism for controlling the application(s) or content the UE may access or use.
Summary
Whilst OTT application markets provide some limited support for parental control applications or user control applications/software, these applications may not provide total control to confidence controlling users (e.g. parents and/or company IT administrators) on the applications a UE may have access to. This may have a detrimental impact on the trust placed in such systems associated with such application markets. It is an object of the present invention to provide methods and apparatus for efficiently and securely allowing the control of a UE to have access to/or use of one or more approved or authorised applications, while preventing circumvention of the control away from the controlling or authorising user. The present invention uses existing communication network authentication mechanisms in conjunction with a user's subscription or user profile associated with the UE to enforce user control policy(ies) for authorising access to and/or use of one or more applications available to the UE. The invention provides that user control policy(ies) are not specific to each UE, but are instead specific to the user identity or user subscription or user profile associated with the UE, where the user subscription for one or more UEs is stored in the communication network.
According to a first aspect of the invention there is provided a method for controlling access to applications in a communications network. The communications network including IMS, an AS, and a plurality of UEs. At least one of the applications is associated with an application profile information. The method, performed by the AS, includes receiving a message associated with a UE of the plurality of UEs for access to one or more of the application(s). The AS retrieves one or more user control policy(ies) associated with the UE, where the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies). The AS determines whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the one or more application(s). The AS sends, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
As an option, determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is authorised to access said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application. As well, determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application. Optionally, determining whether one or more application(s) are authorised to be accessed by the UE may further include, for an application not associated with any application profile information, determining the UE is authorised to access said application.
As another option, determining further includes generating a list of authorised application, and sending an indication further includes sending data representative of the generated list of authorised applications. Alternatively or additionally, sending an indication may further include sending a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s). Alternatively or additionally, sending an indication may further include sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s). Additionally or alternatively, the response message indicating the request for access was successful is a SIP successful response message, and/or the response message indicating the request for access failed is a SIP client failure response message. For example, the SIP successful response message may be a SIP 200 OK message.
Optionally, receiving a message associated with the UE further includes receiving a request for accessing the one or more application(s), and sending the indication further includes sending data representative of the one or more application(s) authorised to be accessed and/or used by the UE for display to the user of the UE. As an option, the request is a Hypertext Transfer Protocol (HTTP) request, and the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE.
As an option, determining further includes determining the one or more application(s) that are not authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more application(s). Sending an indication further includes sending data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
As another option, receiving a message further includes receiving a request to retrieve at least one of the one or more application(s) from the AS. Sending an indication further includes sending data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE. As an option, the request to retrieve at least one of the one or more application(s) is a SIP request.
Optionally, receiving a message further includes receiving an authorisation request associated with the UE from the network, the authorisation request including the identity of each of said one or more application(s) being accessed by said UE. Sending an indication further includes sending data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE. Alternatively or additionally, sending an indication further includes sending data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE includes sending a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s) and/or sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s). Additionally or alternatively, the response message indicating the request for access was successful is a SIP successful response message, and/or the response message indicating the request for access failed is a SIP client failure response message. For example, the SIP successful response message may be a SIP 200 OK message.
As an option, the authorisation request is from the IMS and is triggered by the IMS due to communications over the network by one or more of the application(s) being accessed and/or used on the UE. Alternatively or additionally, the authorisation request is from a capabilities exchange AS in response to a capabilities exchange related to the one or more of the application(s) being accessed and/or used by the UE.
Optionally, the identity of each of said one or more application(s) is based on IMS application reference identifiers of each of said one or more application(s). As an option, the communication network further comprises an application database accessible by the AS. The application database includes a plurality of records, where each record is associated with an application and includes the application profile information associated with said application. Determining further includes accessing the application database and retrieving one or more applications based on the user control policy(ies) associated with the UE and the application profile information associated with the one or more applications. Additionally or alternatively, determining may further include accessing the application database and retrieving one or more records associated with said applications based on the user control policy(ies) associated with the UE and the application profile information associated with the one or more applications. Optionally, if one or more of the applications are not authorised to be accessed by the UE, then sending a notification message indicating the one or more applications the UE is not authorised to access to another UE of a user authorised to control the user control policy(ies) associated with the UE.
As an option, retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from an AS hosting the user subscription or user profile associated with the UE. Additionally or alternatively, retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from another AS having access to the user control policy(ies) after the UE registered with the IMS.
As another option, the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
According to a second aspect of the invention there is provided a method for controlling access to applications in a communications network. The communications network including an IMS, an AS and a plurality of UEs and at least one of the application(s) is associated with an application profile information. The method performed by an apparatus associated with a UE includes transmitting a message to the AS for access to one or more of the application(s), and receiving, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information. The user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
As an option, receiving an indication further includes receiving data representative of the one or more application(s) authorised to be accessed by the UE. As another option, the message comprises an HTTP request, and the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE. As a further option, receiving an indication further includes receiving data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
Optionally, transmitting a message further includes transmitting a request to retrieve at least one of the one or more application(s) from the AS. Receiving an indication further includes receiving data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
As an option, in response to communication over the network by at least one application being accessed on the UE, receiving data representative of a rejection response when said at least one application is determined not authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with the at least one application. Additionally, blocking further communication over the network by said at least one application on the UE.
Optionally, receiving the indication further includes receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s), and/or receiving a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s). As a further option, the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s). According to a third aspect of the invention, there is provided a method for controlling access to applications in a communications network. The communications network includes an IMS, an AS and a plurality of UEs and at least one of the applications is associated with an application profile information. The method, performed by an AS in the IMS, includes transmitting an authorisation request associated with the UE to said AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE. The method also includes receiving data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile. The user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
As an option, receiving data representative of whether the UE is authorised or not further includes receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s), and/or receiving a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
As another option, the authorisation request is triggered when the AS in the IMS detects to communications over the network by one or more of the application(s) being accessed or in use on the UE. As a further option, the AS in the IMS is a capabilities exchange AS and the authorisation request is in response to a capabilities exchange related to the one or more of the application(s) capable of being accessed or used by the UE. Additionally, the identity of each of said one or more application(s) may be based on IMS application reference identifiers of each of said one or more application(s).
Optionally, the user control policy(ies) include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
According to a fourth aspect of the present invention, there is provided a method for controlling access to applications in a communications network. The communications network includes an IMS, an AS associated with the applications, and a plurality of UEs and at least one of the applications is associated with application profile information. The method, performed by another AS, includes detecting IMS registration of a UE from the plurality of UEs, and retrieving user control policy(ies) associated with the UE from the user subscription or profile associated with the UE. The user control policy(ies) may be previously stored or associated with the user subscription or profile associated with the UE. The method further includes storing the user control policy(ies) associated with the UE, and receiving a request for the user control policy(ies) associated with the UE from the AS associated with the applications. Transmitting, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
As an option, the user control policy(ies) include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s).
According to a fifth aspect of the present invention there is provided a method for use in controlling access to applications in a communications network. The communications network including an IMS and a plurality of UEs, where at least one of the applications is associated with application profile information. The method, performed by an apparatus, includes the steps of triggering a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s) The method also includes retrieving one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies), and retrieving application profile information associated with at least one of the one or more application(s). The method includes the steps of determining whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications, and indicating, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE. As an option, determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information, determining the UE is authorised to access said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application. As another option, determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application. Optionally, the step of determining whether one or more application(s) are authorised to be accessed by the UE further includes, for an application not associated with any application profile information, determining the UE is authorised to access said application. Alternatively, the step of determining whether one or more application(s) are authorised to be accessed by the UE further includes, for an application not associated with any application profile information, determining the UE is not authorised to access said application.
As an option, the communication network further includes an application database accessible by the apparatus, the application database comprising a plurality of records, where each record is associated with an application and includes the application profile information associated with said application. The step of retrieving the application profile information further comprises retrieving one or more application profile information associated with the one or more applications. Alternatively, at least one of the one or more application(s) includes application profile information and the step of retrieving the application profile information further includes extracting the application profile information from said at least one of the one or more application(s).
Optionally, retrieving one or more user control policy(ies) associated with the UE further includes retrieving said one or more user control policy(ies) associated with the UE from an subscriber server or an AS hosting the user subscription or user profile associated with the UE. Additionally or alternatively, the user control policy(ies) includes one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
According to a sixth aspect of the invention, there is provided an AS for use in controlling access to applications in a communications network. The communications network includes an IMS and a plurality of UEs and at least one of the applications is associated with an application profile information. The AS including a processor, transmitter, receiver and a memory, said memory containing instructions executable by said processor. The AS is configured to receive a message associated with a UE of the plurality of UEs for access to one or more of the application(s) and to retrieve one or more user control policy(ies) associated with the UE. The user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies). The AS is further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications. The AS is configured to send, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
According to a seventh aspect of the invention, there is provided an apparatus in controlling access to applications in a communications network. The communications network includes IMS, an AS and a plurality of UEs. At least one of the applications is associated with an application profile information. The apparatus including means configured to transmit a request message associated with a UE of the plurality of UEs to the AS for access to one or more of the application(s). The apparatus is further configured to receive, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed or used by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information. The user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies). As an option, the apparatus is configured to be used in a UE, i.e. the UE has the functionality of the apparatus.
According to an eighth aspect of the invention, there is provided an AS for use in controlling access to applications in a communications network. The communications network includes an IMS, a second AS and a plurality of UEs, where at least one of the applications is associated with an application profile information. The AS including means configured to transmit an authorisation request associated with the UE to said second AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE. The AS is further configured to receive, from the second AS, data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile information. The user subscription or profile associated with the UE may be stored in the network and may include the user control policy(ies).
According to a ninth aspect of the invention, there is provided a user control AS for use in controlling access to applications in a communications network. The communications network including an IMS, an AS associated with the applications, and a plurality of UEs, where at least one of the applications is associated with an application profile information. The user control including means configured to detect IMS registration of a UE from the plurality of UEs, and retrieve user control policy(ies) associated with the UE from the user subscription or profile associated with the UE. The user control policy(ies) may have been previously stored or associated with the user subscription or profile associated with the UE. The user control AS is further configured to store the user control policy(ies) associated with the UE, and receive a request for the user control policy(ies) associated with the UE from the AS associated with the applications. The user control AS is further configured to transmit, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
According to another aspect of the present invention there is provided an apparatus for use in controlling access to applications in a communications network. The communications network including an IMS and a plurality of UEs, where at least one of the applications is associated with application profile information. The apparatus including means is configured to trigger a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s). The apparatus is configured to retrieve one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies), and to retrieve application profile information associated with at least one of the one or more application(s). The apparatus is further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications. The apparatus is configured to indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE. As an option, the apparatus is configured to be used in a UE, i.e. the UE has the functionality of the apparatus.
According to further aspects of the invention there is provided a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out one of more of the method(s) as described or the functionality of the ASs and apparatus as described. As an option, a carrier may be provided containing the computer program as described, where the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium. It is evident that the invention provides the advantage of providing a secure and efficient mechanism for providing control of a UE's access to and use of one or more applications that may be available to the UE. This provides the further advantage that the user control policy(ies) are not specific or configured for each UE, but are centralised within the communication network and specific to the user subscription or user profile associated with one or more UEs.
Brief Description of the Drawings
Figure 1 is a diagram illustrating a typical communications network;
Figure 2 is a flow diagram illustrating an example process performed by an AS according to the present invention; Figure 3a is a signalling flow diagram illustrating an example process of controlling access to one or more applications according to the present invention;
Figure 3b is a signalling flow diagram illustrating another example process of controlling access to one or more applications according to the present invention;
Figure 3c is a signalling flow diagram illustrating an example process of initialising the communication system for use in controlling access to one or more applications according to the present invention;
Figure 3d is a signalling flow diagram illustrating a further example process of controlling access to one or more applications according to the present invention;
Figure 4a is a signalling flow diagram illustrating an example process of controlling access to one or more applications according to the present invention; Figure 4b is a signalling flow diagram illustrating another example process of controlling access to one or more applications according to the present invention;
Figure 4c is a signalling flow diagram illustrating a further example process of controlling access to one or more applications according to the present invention; Figure 4d is a signalling flow diagram illustrating a yet another example process of controlling access to one or more applications according to the present invention;
Figure 5 is a schematic illustration of an example apparatus according to the invention; and
Figure 6 is a schematic illustration of an example AS according to the invention; Figure 7 is a schematic illustration of an example network entity/AS according to the invention; and
Figure 8 is a schematic illustration of an example user control AS 800 according to the invention.
Detailed Description In order to at least partially overcome the problems described above, the invention as proposed herein improves the efficiency of enforcing user control policies when accessing and/or using one or more application(s) during browsing, downloading and purchasing applications in a communications network (e.g. an IP communications network or IMS based communications network), while at the same time improving the usability, security and reliability of the enforcement mechanism(s) for providing the control of access and/or use of the one or more applications. The invention consists of mechanism(s) provided by the network for enforcing user control policies when accessing and using applications (e.g. RCS applications) such as, by way of example, browsing/downloading/purchasing/installing and executing such applications. The mechanism(s) use a combination of communication network authentication (e.g. IMS network authentication), user control policy(ies) about the user preferences regarding application(s) and application profile information of one or more application(s) both of which are maintained in and provided by the network. The enforcement of the user control policies is performed based on, among other information, on the identity of one or more application(s) (e.g. IMS Application Reference Identifier (IARI)), which is used to retrieve any application profile information associated with each of the one or more application(s) and which is applied to the user control policy(ies) for determining the application(s) the user is authorised to access and use on the UE.
The primary enforcement mechanism resides within the network and has access to the user subscription or profile associated with a UE, which are stored within the network (e.g. within a home subscriber server (HSS)). This enforcement mechanism may be an AS configured to enforce the user control policy(ies) associated with the UE of the user against application profile information associated with one or more applications. The user subscription or profile may include the user control policy(ies), which are accessible by the mechanism(s) when the associated UE of the user registers with the communication network. In addition, the service provider or application developer for an application registers the application and provides application profile information including data representative indicating the suitability of the application to various users. For example, the application profile information may include various information based on, but not limited to, age, gender, religion, genre of the application, application type, free applications with/without adware, certified/non-certified applications, popularity and ratings, application content type, parental control information, reputation of the application(s), time of access to the application.
The user control policy(ies) define the type of rules and/or policy(ies) that the user that controls the user control policy(ies) would like to enforce to authorise or unauthorised various content such as applications during, among other things, browsing/downloading/purchasing/installing and executing and/or viewing such applications or content for particular one or more UEs associated with the user's user subscription or profile. The user control policy(ies) may also include details of the user of the UE, for example, the age of the user, gender, religion, parent contact details, parental control information or rules etc.
For example, for each application that is associated with an application profile information, the application profile information may be applied to the user control policy(ies) to determine and/or enforce whether the application is authorised or not authorised for access and/or use by one or more UE's associated with the user control policy(ies). This process may be implemented and maintained within the security of the communication network and may be inaccessible to the user of the UE, unless the user has access and authorisation to create/change/delete the user control information associated with the user subscription or profile that is stored securely within the communication network and associated with the UE. In essence, method(s) and apparatus are provided for use in controlling access to and/or use of one or more applications in a communications network. The communications network including an IMS, an AS, and a plurality of UEs. At least one of the applications is associated with an application profile information. The method(s) and apparatus may be used to query or request whether a UE of the plurality of UEs is authorised to access or use one or more application(s). In order to do this, one or more user control policy(ies) associated with the UE are retrieved, where the user subscription associated with the UE is stored in the network and includes the user control policy(ies). It is then determined whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the one or more application(s), which may be retrieved/extracted from each application or from a database of applications storing the application profile information. In response to the query/request, an indication of whether the one or more application(s) are authorised to be accessed by the UE 306 may be provided or sent to the originator of the query/request.
Figure 2 is a flow diagram illustrating an example process performed by an AS according to the present invention. The process defines a method for controlling access to applications in a communications network. The communications network may include an IMS, the AS, and a plurality of UEs, where at least one of the applications is associated with an application profile information. The steps of the method, performed by the AS, are provided as follows:
A1. Receive a request message associated with a UE of the plurality of UEs for access to one or more of the application(s). Proceed to A2.
A2. Retrieve one or more user control policy(ies) associated with the UE, where the user control policy(ies) are included with the user subscription or profile associated with the UE and is stored/maintained in the communication network. Proceed to A3. A3. Determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more application(s). Proceed to A4. A4. Sends, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
In step A3, determining whether one or more application(s) are authorised to be accessed by the UE may further include, for each of the one or more application(s) associated with an application profile information, determining the UE is authorised to access said each application when the application profile information associated with said each application is applied to the user control policy(ies) associated with the UE to provide an output that indicates that the UE is authorised to access said each application. As well, determining whether one or more application(s) are authorised to be accessed by the UE further includes, for each of the one or more application(s) associated with application profile information, determining the UE is not authorised to access said each application when the application profile information associated with said each application is applied to the user control policy(ies) associated with the UE to provide an output that indicates the UE is not authorised to access said each application.
It is to be appreciated that when determining which applications can be authorised or not authorised for access by the UE, it will be inevitable that some applications may not be associated with an application profile information. Such applications could be automatically authorised to be accessed, or not authorised for the UE to access, which may depend on the policy of the network operator. Additionally or alternatively, the user that controls the user control policy(ies) associated with the UE may include one or more rules that authorise the UE to access applications without an application profile information or to not authorise the UE to access applications without an application profile information. Typically, applications without an application profile information may be considered less trustworthy than applications in which the developer has taken the time to include an application profile information, therefore, the default policy may be to restrict access to applications for which there is no associated application profile information.
In step A4, the response to the request message may be a simple response that indicates the one or more applications are or are not authorised. For example, the response message may simply be a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s). By way of example only, such a response message may be based on a SIP successful response message (e.g. a SIP 2xx message such as a SIP 200 OK message). A SIP 200 OK response message in relation to the request message can be interpreted as an indication that the one or more applications are authorised to be accessed and/or used by the UE. Alternatively, response message and/or sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s). By way of example only, such a response message may be based on a SIP client failure response message (e.g. a SIP 4xx response message). A SIP 4xx response message in relation to the request message can be interpreted as an indication that the one or more applications are not authorised to be accessed and/or used by the UE.
In step A1 , the request message may be a message transmitted by the UE for requesting access to one or more application(s) for retrieving/downloading the one or more application(s) for installation on the UE. After determining in A3, in A4, the indication in the response may include sending data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE. The request to retrieve at least one of the one or more application(s) is a SIP request and the response may be a SIP response. Alternatively, instead of a blanket rejection response if one or more of the application(s) requested is not authorised for access, the response may only include the list of applications, and download locations etc., that are authorised to be accessed and used by the UE, such that the UE can have access to only those applications that are authorised to be accessed or used by the UE.
In step A3, the determining may further include generating a list of authorised applications and/or a list of unauthorised applications, and sending as the indication data representative of the generated list of authorised and/or unauthorised applications. Alternatively or additionally, in step A1 , receiving the request message may further include receiving an authorisation request associated with the UE from the network or a network entity on behalf of the UE or in response to an application on the UE communicating over the network. The authorisation request includes the identity of the application or each of said one or more application(s) being accessed and/or used by said UE. After determining, in step A3, which applications are authorised or not authorised to be access/used by the UE based on the user control policy(ies) and the corresponding application profile information, the AS may respond, in step A4, by sending as the indication data representative of whether the UE is authorised or not authorised to access said one or more application(s) based on the user control policy(ies) of the UE. This may be a simple response as described above, or a complex response including a list of all the authorised one or more application(s) that can be accessed and used by the UE and/or a list of all the unauthorised one or more application(s) that should not be access and used by the UE. On receipt of the response, the network entity may block communication access to the network for the application if the application is not authorised to be used by the UE.
In steps A1 and A4, the UE may be browsing a web site or application market place, in which the webserver communicates with the AS. The AS may receive a message associated with the UE further includes receiving a request for accessing the one or more application(s), and sending the indication further includes sending data representative of the one or more application(s) authorised to be accessed and/or used by the UE for display to the user of the UE. The webserver may then filter the applications that are displayed on the browser of the UE according to the data representative of the one or more application(s) authorised to be accessed and/or used by the UE. Alternatively, the UE may perform this filtering. When browsing websites, the request may take the form of an HTTP request, and the indication includes data representative of HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE. For example, display via the webserver or browser of the UE based on the data representative of the one or more application(s) authorised to be accessed by the UE.
In a communication network with an IMS, the request message may be an authorisation request from the IMS or an IMS core node or network entity and may be triggered by the IMS due to communications over the network by one or more of the application(s) being accessed and/or used on the UE. In addition, the RCS 5.1 standard describes two mechanisms for user's UE capability exchange: based on SIP OPTIONS and based on Presence (e.g. section 6.2 of the RCS 5.1 standard). These two mechanisms can be used to exchange UE capabilities, including both basic communication services and applications (e.g. IMS CoSe(s) identified by ICSI(s) and applications identified by lARIs). In a multiple UEs per user scenario, the capabilities of each UE for that user can be aggregated in the network, e.g. within in a Capability exchange AS or capabilities exchange server (CX-AS), which is the Presence Server when using the Presence method and the Options-AS when using the OPTIONS method. Alternatively, the request message may be an authorisation request from a CX-AS in response to a capabilities exchange related to the one or more of the application(s) being accessed and/or used by the UE. That is, the CX-AS receives application identities (e.g. lARIs) of the applications installed on the UE via the capabilities exchange process. The CX-AS may then be configured to check whether the applications installed on the UE satisfy the user control policy(ies), and sends an request message or authorisation request message to determine whether the UE can access the one or more applications detected to be installed on the UE due to the capabilities exchange.
Step A4 may also include, if one or more applications are not authorised to be accessed on or used by the UE, then those applications may be blocked from communicating with the network, and/or the user controlling the user control policy(ies) may be notified of the unauthorised one or more application(s). Alternatively or additionally, step A4 may include, if one or more of the applications are not authorised to be accessed by the UE, then sending a notification message indicating the one or more applications the UE is not authorised to access to another UE of the user authorised to control the user control policy(ies) associated with the UE. This step may also be performed by the entity or apparatus that sent the request message for access to one or more applications. The communication network may further include an application database accessible by the AS. The application database includes a plurality of records, where each record is associated with an application and includes the application profile information associated with said application and/or the application identity (e.g. IARI). The application and application profile information may be submitted to the network operator by the developer of the application, and the network operator approves the application and inserts or updates the record associated with the application and application profile information. Step A3 of determining may further include accessing the application database and retrieving one or more application records based on the user control policy(ies) associated with the UE and the request message for access to one or more applications, the request message may include a list of one or more application identities for use by the step of A3 when determining which application is authorised to be accessed or not by the UE. Determining may further include accessing the application database and retrieving one or more records associated with said applications based on the user control policy(ies) associated with the UE, the request message, and/or the application profile information associated with the one or more applications. In step A2, retrieving one or more user control policy(ies) associated with the UE may further include retrieving said one or more user control policy(ies) associated with the UE from an AS hosting the user subscription or user profile associated with the UE. This may include retrieving said one or more user control policy(ies) associated with the UE from another AS (e.g. a user control AS) that has access to the user control policy(ies) after the UE registered with the IMS.
Finally, the user control policy(ies) may include one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) may include parental control information associated with said at least one of the one or more application(s). Thus, the present invention may be used for enforcing parental control policies on UEs, without the UEs requiring parental control software and the like. Only those with access to the user subscription or user profile associated with the UE, typically the user that is authorised to set the user control policy(ies),can create/delete/modify/update the user control policies associated with the UE.
Figure 3a is a signalling flow diagram of a communication network 300 illustrating an example of controlling access to one or more applications according to the present invention. The communication network 300 includes an IMS core network (CN) 302, a first AS 304, and a UE 306 of a plurality of UEs (not shown). The first AS 304 is configured to control access to the one or more applications in the network 300. At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the AS 304. It is also assumed that the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300. It is also assumed that the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
In operation, the user of UE 306 may wish to have access to an application, or one or more application(s). In step 310, the UE 306 sends a message requesting access to the application or one or more application(s). This request message is sent via the IMS CN 301 to the AS 304. The request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has requested access to. On receiving the request message from the UE 306, the AS 304 determines, in steps 31 1-312, whether the one or more application(s) are authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with each application that includes such information. In order to do this, in step 31 1 , the AS 304 retrieves, using the identity of the UE 306, the user control information associated with the UE 306 from the user subscription or profile. The AS, in step 312, determines, for each of the one or more application(s) that have an application profile information (retrieved based on the identity of the one or more applications), whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised. In step 313, the AS 304 may respond to the request message with a response message providing an indication that all the one or more application(s) are authorised to be accessed and/or used by the UE 306. This response may be a simple success response message (e.g. SIP 200 OK message). If one or more of the application(s) are not authorised to be accessed and/or used by the UE 306, then the response may be a simple rejection response message (e.g. SIP 4xx message) indicating the at least one of the application(s) is not authorised to be accessed by the UE 306. Alternatively, the response message may also include the details or a list of the application(s) that are authorised to be accessed. This provides the advantage that the UE 306 receives only those application(s) that are authorised to be accessed and/or used by the UE 306. The details may also include links to download locations of the authorised applications.
Figure 3b is a signalling flow diagram of the communication network 300 of Figure 3a illustrating another example of controlling access to one or more applications according to the present invention. The communication network 300 includes the IMS core network (CN) 302, the first AS 304, and the UE 306 of the plurality of UEs (not shown). The first AS 304 is configured to control access to the one or more applications in the network 300. At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the AS 304. In addition, the first AS 304 is coupled to a second AS 305. The second AS 305 includes user control policy(ies) of each of the UEs that have registered with the IMS CN 302. It is also assumed that the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300. It is also assumed that the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
In operation, the user of UE 306 may wish to have access to an application, or one or more application(s). In step 310, the UE 306 sends a message requesting access to the application or one or more application(s). This request message is sent via the IMS CN 301 to the AS 304. The request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has requested access to. On receiving the request message from the UE 306, the AS 304 determines, in steps 31 1 a, 311 b and 312, whether the one or more application(s) are authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with each application that includes such information. In order to do this, in step 31 1 a, the AS 304 retrieves from the second AS
305, using the identity of the UE 306, the user control information associated with the UE 306, which was retrieved by the second AS 305 from the user subscription or profile when the UE registered with the IMS CN 302. In step 311 b, the second AS 302 sends the UE control policy(ies) to the first AS 304.
The AS, in step 312, determines, for each of the one or more application(s) that have an application profile information (retrieved based on the identity of the one or more applications), whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised. In step 313, the AS 304 may respond to the request message with a response message providing an indication that all the one or more application(s) are authorised to be accessed and/or used by the UE 306. This response may be a simple success response message (e.g. SIP 200 OK message). If one or more of the application(s) are not authorised to be accessed and/or used by the UE 306, then the response may be a simple rejection response message (e.g. SIP 4xx message) indicating the at least one of the application(s) is not authorised to be accessed by the UE 306. Alternatively, the response message may also include the details or a list of the application(s) that are authorised to be accessed. This provides the advantage that the UE 306 receives only those application(s) that are authorised to be accessed and/or used by the UE
306. The details may also include links to download locations of the authorised applications. Figure 3c is a signalling flow diagram of the communication network 300 illustrating an example process of accessing the user control policy(ies) for use in controlling access to one or more applications according to the present invention. The communication network 300 includes the IMS core network (CN) 302, the UE 306 of the plurality of UEs (not shown), and the second AS 308, which is called a user control AS. The IMS CN 302 includes various IMS CN nodes such as, but not limited to, a P-CSCF, a I- CSCF, a S-CSCF and the HSS/Centralised User Data Base (CUDB). The user control AS 308 stores user control policy(ies) of each of the UEs that have registered with the IMS CN 302. It is assumed that the user subscription associated with the UE 306 includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies).
In operation, UE 306 registers with the IMS CN 302 by sending a SIP REGISTER request message towards the IMS CN 302, which is received by the P-CSCF, then I- CSCF. The IMS CN 302 performs the standard registration procedure for registering UE 306 with the IMS CN 302. This also includes an authentication procedure, which is used to authenticate UE 306 with the network using various authentication protocols. Once authenticated, the IMS CN 302 sends SIP 200 OK response message towards the UE 306 indicating the UE has been registered with the IMS CN 302 and may begin communicating over the communication network 300. In this example, during registration and authentication, the S-CSCF is configured to send a SIP REGISTER request message associated with UE 306 to the user control AS 308. On receiving this SIP REGISTER request message, the user control AS 308 sends a SIP RESPONSE message to S-CSCF acknowledging the SIP REGISTER request message. In addition, in response to the SIP REGISTER request message, the user control AS 308 requests or pulls (e.g. SH-PULL) the user control policy(ies) associated with UE 306 from the user subscription/profile associated with UE 306 from HSS/CUDB node. The Sh interface can be used to exchange user subscription or user profile information (e.g., user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between an AS and the HSS.
In response to the user control policy(ies) request, the HSS/CUDB sends the user control policy(ies) associated with UE 306 to the user control AS 305. The user control policy(ies) may define one or more rules and/or policy(ies) that the user that controls the user control policy(ies) would like to enforce to authorise or unauthorised access by the UE to various content such as applications during, among other things, browsing/downloading/purchasing/installing and executing and/or viewing such applications or content for particular one or more UEs associated with the user's user subscription or profile. The user control policy(ies) may include personal data, authorization rules, parental contact information, parental control policy(ies) or rule(s). On receiving the user control policy(ies), the user control AS 308 stores the user control policy(ies) associated with the UE 306 for use when the first AS 304 determines whether the UE 306 is authorised to access or use one or more application(s) as described, for example, with reference to figures 2 and 3a-3b. Now that the UE 306 has registered with the IMS CN 302, this now means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communication network 300.
Figure 3d is a signalling flow diagram of the communications network 300 illustrating a further example process of controlling access to one or more applications according to the present invention. The communication network 300 includes the IMS CN 302, the first AS 304, and the UE 306 of the plurality of UEs (not shown). The first AS 304 is configured to control access to the one or more applications in the network 300. At least one of the application(s) is associated with an application profile information provided by the developer of said application and which is stored in the communication network and accessible by the first AS 304. It is also assumed that the UE 306 has registered with the IMS CN 302, which means the UE 306 has been authenticated by the IMS CN 302 and has been granted access to communicate over the communication network 300. It is also assumed that the user subscription associated with the UE includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies). In this example, the user of UE 306 has managed to download and install an application on the UE 306. In operation, the user of UE 306 proceeds to use the application. In step 319 the application starts to communicate with the communication network 300 (e.g. the application may communicate with a webserver or server associated with the application to download/access content etc.) The IMS CN 302 detects the application's communications over the communication network 300. In step 320, the IMS CN 302 or a network node or entity in the IMS CN 302 is triggered to send an authorisation request message to the first AS 304 for requesting whether the application is authorised to be accessed and/or used by the UE 306. The request message may include the identity of the UE 306 and the identity of the one or more application(s) the UE 306 has accessed or is using. On receiving the authorisation request message from the IMS CN 302, the first AS 304 determines, in steps 321-322, whether the application is authorised to be accessed and/or used by the UE 306 based on user control policy(ies) of the UE 306 and application profile information associated with the application. In order to do this, in step 321 , the first AS 304 retrieves, using the identity of the UE 306, the user control information associated with the UE 306 from the user subscription or profile of the second AS or user control AS (not shown). The AS, in step 322, determines whether the application profile information of the application when applied to the user control policy(ies) provides an output that indicates that the application is authorised or is not authorised. In this example, it is assumed that the application is not authorised for access or use by UE 306. Given this, in step 323, the AS 304 may respond to the authorisation request message by sending a response message to the IMS CN 302 providing an indication that the application is not authorised to be accessed and/or used by the UE 306. The response may be a simple rejection response message (e.g. SIP 4xx message) indicating the at least one of the application(s) is not authorised to be accessed by the UE 306. On receiving the response message indicating the application is not authorised for access or use by the UE 306, the IMS CN 302 in step 324 may proceed to block the application's communication with the communication network 300, preventing it from operating properly. Alternatively or in addition to blocking the communications of the application, either the IMS CN 302 or the first AS 304 may notify the user controlling the user control policy(ies) that the UE 306 is accessing or using an unauthorised application. This controlling user may then follow-up with the user of the UE 306 to have the unauthorised application removed from the UE 306. Alternatively, the controlling user may decide the application can be authorised and may update/modify the user control policy(ies) associated with the UE 306 such that the application will be an authorised application for the UE 306 to access and/or use.
If the application was authorised to be accessed or used by the UE 306, then the AS 304 may send a simple success response message (e.g. SIP 200 OK message) to the IMS CN 302. In which case, the IMS CN 302 allows the application to proceed to use the communication network 300 accordingly.
Figure 4a is a signalling flow diagram of another communication network 400 illustrating an example process of controlling access to one or more applications according to the present invention. The communication network 400 includes an IMS CN 402, an AS 404 coupled to an application database 405, and a UE 406 of a plurality of UEs (not shown). The AS 404 is configured to control access to the one or more applications in the network 400.
The application database 405 may be accessible by the AS 404. The application database 405 includes a plurality of records, where each record is associated with an application and may include application profile information associated with said application and/or the application identity (e.g. IARI) associated with the application. Not all records for applications will have an application profile information as this will be provided by the developer of the application. The application and application profile information may be submitted to the network operator by the developer of the application, and the network operator may approve the application and inserts or updates the application database 405 and record associated with the application and application profile information. Application database 405 may be stored within AS 404 or within another AS or network entity in the network 400. It is also assumed that the UE 406 has registered with the IMS CN 402, which means the UE 406 has been authenticated by the IMS CN 402 and has been granted access to communicate over the communication network 400. It is also assumed that the user subscription associated with the UE 406 includes user control policy(ies) that have been set by a user or operator that is authorised to control the user control policy(ies) associated with the UE 406. The user control policy(ies) associated with the UE may also include details of the user or user(s) of the UE, for example, the age of the user, gender, religion, parent contact details, parental control information or rules etc.
In this example, the user control policy(ies) associated with UE 406 may include parental control policies, which are enforced when the user of UE 406 browses and downloading/purchase applications (e.g. RCS applications). For example, the user of UE 406 may be a child and the user controlling the user control policy(ies) associated with UE 406 is the child's parent. The invention relies on authentication in the communication network (e.g. IMS network authentication) and on the user control policy(ies) that includes information about the user, which is provided by the network 400. The enforcement of the parental control policies may be performed based on, among other information, the IMS Application Reference Identifier (IARI) of the application(s) in the network 400, application profile information of the application(s) in the network 400, and on the user control policy(ies) associated with the UE 406. Since the network 400 is aware of the user's or subscriber's personal data (e.g. age of the user of UE 406 etc.), specific applications that do not meet the enforcement requirements of the parental control policies or of the user control policy(ies) in general will be inaccessible to the user of UE 406.
For example, if the user of UE 406 is an underage person, then the enforcement provided by the invention will ensure specific applications that are not suitable for underage persons will be restricted. Given the application and application profile information may be submitted to the network operator by the developer of the application, the application developer will register their application and may declare it is suitable for users over 18 years old. Note, that the application profile information should probably be judged together with the service provided and maybe a public regulator. The network operator may also approve the application profile information associated with the application. Once approved, the application profile information and application are inserted or updated to the application database 405 and record associated with the application and application profile information. There are various situations in which applications should be restricted, authorised or not authorised. For example, when the user of UE 406 is browsing an application market website, the user will be restricted to only seeing applications that are suitable for their age, (e.g. this assumes the user control policy(ies) include the age of the user or other parental control rules/policies etc.). This means the applications will be filtered such that the user of UE 406 will not view the applications that are not suitable for their age. It is assumed that the application market site, (e.g. the equivalent to the Android or Apple market but for IMS/RCS applications) belongs to the operator or the operator of the communication network. As another example, the user will see only the games, sharing tool applications and other application content that are suitable for their age. In operation, the user of UE 406 registers with the IMS CN 402. The user control policy(ies) is retrieved from the user subscription or user profile information during registration of the UE 406. The user control policy(ies) may include parental control policies and other personal information of the user, (e.g. the age of the user). The user control policy(ies) is made available to the AS 404, which may be an Application Market-AS or website and/or to the UE via a 3rd party registration. The AS 404 may include, in the application Market website, an application catalogue, which UEs may have access to so users may browse the application catalogue on their browsers. The user control policy(ies) may include parental control information about age of the user, parent contact address or UE, which can be retrieved from the user subscription and/or profile stored in the HSS ( + CUDB) via Sh. The Sh interface can be used to exchange user subscription or user profile information (e.g., user content policy(ies), user related data, group lists, user service related information or user location information or charging function addresses, etc.) between an AS and the HSS. When the user of UE 406 is browsing an application Market website on the AS 404 (e.g. via HTTP), in step 410, the UE 406 sends an HTTP request to the AS 404 requesting access to the application catalogue, which includes one or more application(s). This request message is sent via the IMS CN 402 to the AS 404. The AS 404 receives the HTTP request from UE 406, which may include the identity of the UE 406 and a request for access to the application catalogue. On receiving the HTTP request message from the UE 406, the AS 404 determines, in steps 41 1-412, whether one or more application(s) in the application catalogue are authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with each application in the application catalogue that includes such information.
In order to do this, in step 41 1 , the AS 404 retrieves the user control policy(ies) associated with the UE 406, which may be stored in the AS 404 as the AS 404 may have retrieved this information when UE 406 registered with the IMS CN 402. Alternatively, the AS 404 may retrieve the user control policy(ies) associated with the UE 406 from another AS that is configured to store user control policy(ies) when UEs register with the IMS CN 402 or directly from the HSS/CUDB that stores the user subscription or profile associated with the UE. The AS 404, in step 412, determines, for each of the one or more application(s) that have an application profile information whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised. In step 412a, the AS 404 retrieves the application profile information for each of the applications based on the identity of the applications from the application database 405. As such, the AS 404 compiles data representative of all the application(s) in the application catalogue that are authorised to be accessed and/or used by the UE 406, such that only authorised applications will be shown to the user as the user browses the application catalogue. In step 413, the AS 404 may respond to the HTTP request message with an HTTP response message providing an indication of the authorised applications that can be accessed and/or used by the UE 406. The HTTP response message includes the necessary details to allow the user of UE 406 to browse the authorised applications in the application catalogue of the AS 404. This provides the advantage that the UE 406 receives only those application(s) that are authorised to be accessed and/or used by the UE 406, and that the user of the UE 406 can only view, browse, download/purchase such authorised applications. The AS application Market does not display the applications that are not suitable for the user's age, or the applications that do not fulfil the user control policy(ies).
Figure 4b is a signalling flow diagram of the communication network 400 of Figure 4a illustrating another example process of controlling access to one or more applications according to the present invention. The communication network 400 includes the IMS CN 402, the AS 404 coupled to the application database 405, and the UE 406 of the plurality of UEs (not shown). The AS 404 is configured to control access to the one or more applications in the network 400. The AS 404 may be coupled to a user control AS 408.
In this example the AS 404 is a Market AS 404 that includes the user control AS 408. However, it is to be appreciated that the Market AS 404 and user control AS 408 may be located in different network entities/nodes/Ass etc. The Market AS 404 may include a market website and/or an application catalogue for use by the UE 406 when the user browses the application catalogue on the Market AS 404. The user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and Figure 4a. For example, the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408.
The operation is similar to that described with reference to Figure 4a. When the user of UE 406 is browsing an the application catalogue on Market-AS 404, in step 420, the UE 406 sends an HTTP request to the Market-AS 404 requesting access to the application catalogue, which includes one or more application(s). The Market-AS 404 receives the HTTP request from UE 406, and determines, in steps 421-422, whether one or more application(s) in the application catalogue are authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with each application in the application catalogue that includes such information.
In order to do this, in step 421 , the Market-AS 404 retrieves the user control policy(ies) associated with the UE 406 from user control AS 408. The Market-AS 404, in step 422, determines, for each of the one or more application(s) that have an application profile information whether the application profile information when applied to the user control policy(ies) provides an output that indicates that the application is authorised. The Market-AS 404 also retrieves the application profile information for each of the applications based on the identity of the applications from the application database
405. As such, the Market-AS 404 compiles data representative of all the application(s) in the application catalogue that are authorised to be accessed and/or used by the UE
406, such that only authorised applications will be shown to the user as the user browses the application catalogue. In step 423, the Market-AS 404 responds to the HTTP request message with an HTTP response message providing an indication of the authorised applications that can be accessed and/or used by the UE 406. The HTTP response message includes the necessary details to allow the user of UE 406 to browse the authorised applications in the application catalogue of the Market-AS 404. This provides the advantage that the UE 406 receives only those application(s) that are authorised to be accessed and/or used by the UE 406, and that the user of the UE 406 can only view, browse, download/purchase such authorised applications. The Market- AS 404 does not display the applications that are not suitable for, by way of example, the user's age, or the applications that do not fulfil the user control policy(ies).
In another scenario, the user of UE 406 may get a direct link to an unauthorised application via other means (e.g. email, chat rooms etc.). The user of UE 406 may attempt to access and download or retrieve the application from the direct link, which is a direct link to the Market AS 404. In this instance, the HTTP request message is a request for accessing the application via the direct link, which identifies the application to download. When the Market-AS 404 receives the HTTP request from UE 406, it performs the steps 421-422 as it did previously, to determine whether the application associated with the direct link is authorised to be accessed and/or used by the UE 406 based on the user control policy(ies) of the UE 406 and application profile information associated with the application based on the direct link. Since the application is an unauthorised application, the Market-AS 404, in step 423 sends an HTTP response rejecting the HTTP request (e.g. the Application Market-AS will check his age and will reject the HTTP request). Thus, the user of UE 406 is prevented from accessing unauthorised applications regardless of whether they browsed the application catalogue or not. Optionally a notification can be sent to the parent, if any or to the user authorised to control the user control policy(ies). Figure 4c is a signalling flow diagram of the communication network 400 of figures 4a and/or 4b illustrating another example process of controlling access to one or more applications according to the present invention. The communication network 400 includes the IMS CN 402 coupled to the user control AS 408, where the user control AS 408 also coupled to the application database 405, and the UE 406 of the plurality of UEs (not shown). The user control AS 408 may be located within a network entity/node of the IMS CN 402, similarly the application database may be located within the user control AS 408 or within another AS within the network 400. In this example, the user control AS 408 is configured to control access to the one or more applications in the network 400. The user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and Figure 4a. For example, the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408. In this scenario, the user of UE 406 manages to install an unauthorised application in the UE 406 (e.g. hacking the terminal). The network 400 is configured to stop any attempt to communicate using the unauthorised application. For example, in case the user of UE 406 manages to use the unauthorised application from the UE 406, in step 429 the application may send a SIP request when it starts to communicate over the communication network 400. The IMS CN 402 detects this communication, and the IMS CN 402 or an AS or network entity (not shown) in the IMS CN 402 is configured, in steps 430-433, to determine whether the application is authorised using user control AS 408 and database 405. Alternatively, the user control AS 408 may be configured to determine whether the application is authorised to be used by the UE 406. In order to do this, in step 430, the IMS CN 402 (or user control AS 408) retrieves the user control policy(ies) associated with the UE 406 from user control AS 408. The IMS CN 402 (or user control AS 408), in step 431 , retrieves, using the IARI from the SIP request message to identify the application, the application profile information associated with the application via user control AS 408 and the application database 405. The IMS CN 402 (or user control AS 408) uses the user control policy(ies), the application profile associated with the application, to determine whether the UE 406 is authorised to access or use the application. In this example, the application is assumed to be an unauthorised application. As the application is an unauthorised application, the IMS CN 402 (or user control AS 408) sends an error message (e.g. Error(not authorized) message) to UE 406 or the application on the UE 406 indicating it is not authorised, or indicating that it cannot access the communication network 400. In addition, the communication by the application may then stopped or blocked by the IMS CN 402 based on the IARI in the request. Optionally, a notification can be sent to the parent or user authorised to control the user control policy(ies) that the UE 406 is not authorised to use this particular application.
Other scenarios or modifications of the present invention may include, when the UE 406 exchanges capabilities, if the restricted or unauthorised application's IARI is part of the list of capabilities of the user, then a CX-AS (not shown) is configured to either perform the functionality of the AS(s) according to the invention as described with respect to figures 2 to 4c to determine whether each of the application(s) is authorised to be accessed or used by the UE 406. Alternatively or additionally, the CX-AS may send a request on behalf of the UE 406 requesting whether access to the one or more applications in the list of capabilities are authorised to be accessed or used by the UE 406 as described with reference to figures 2 to 4c. In any event, the CX-AS receives a response or determines the applications that are unauthorised and removes those lARIs from the list of capabilities and optionally informs the parent or user authorised to control the user control policy(ies).
Figure 4d is a signalling flow diagram of the communication network 400 of figures 4a and/or 4b illustrating another example process of controlling access to one or more applications according to the present invention. The communication network 400 includes the IMS 402, a user control AS 408 (or HSS), an application database or server 405 and the UE 406 of the plurality of UEs (not shown). In this example, the UE 406 includes the functionality of an apparatus 406a that is configured to control access to the one or more applications in the network 400. However, it is to be appreciated that the apparatus 406a may be independent of the UE 406, for example, a network entity may be configured to include the functionality of the apparatus 406a. The user control AS 408 retrieves the user control policy(ies) associated with UE 406 when UE 406 registers with the IMS CN 402 as described with reference to Figure 3c and/or Figure 4a. For example, the user control policy(ies) are retrieved from the user subscription or user profile information during registration of the UE 406 and stored in the user control AS 408. The application database 405 may be located within or coupled to the user control AS 408 or the application database 405 may be located within or coupled another AS/network entity/node (not shown). In this example, the application database 405 is coupled to the user control AS 408. In operation, in step 440, the apparatus 406a is triggered to perform a determination of whether the UE 406 may access and/or use one or more of the application(s). The apparatus 406a may be triggered by detecting whether the UE 406 is attempting to browse or access one or more application(s), download one or more application(s), install one or more application(s), or even access or use one or more application(s). In any event, when the apparatus 406a is triggered the apparatus 406a performs step 441 and retrieves one or more user control policy(ies) associated with the UE 406, where the user subscription or profile associated with the UE 406 may be stored in the network and includes the user control policy(ies). It is to be appreciated that retrieving the user control policy(ies) may include reading the user control policy(ies) from memory/storage of the UE 406, or retrieving the user control policy(ies) from the network or the user subscription associated with the UE 406. In this example, the user control policy(ies) associated with the UE 406 are retrieved from the user control AS 408.
After retrieving the user control policy(ies), the apparatus 406a performs step 442 to retrieve application profile information associated with at least one of the one or more application(s). In this example, the application profile information associated with at least one of the one or more application(s) is retrieved from the application database 405 via the user control AS 408. The apparatus 406a is then configured to perform step 443 and determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications. The apparatus is then configured to perform step 444, and indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE. This may involve displaying a message to the user as to whether the one or more application(s) are authorised to be used by the UE. For example, a message may be displayed to the user that the user of UE 406 has attempted to access/use one or more unauthorised application(s). For any authorised application(s), the user need not be notified and the indication is simply a trigger allowing the authorised application(s) to be used normally. Any authorised applications may simply be used. Alternatively or additionally, the use of any unauthorised application(s) may be blocked or the communications by such application(s) blocked by the UE 406. Further, the parent or user authorised to control the user control policy(ies) may be notified that there are unauthorised application(s) that have been accessed or used on UE 406.
In step 443, determining whether one or more application(s) are authorised to be accessed by the UE 406 may further include, for each of the one or more application(s) associated with application profile information, determining the UE 406 is authorised to access and/or use said each application when the user control policy(ies) associated with the UE 406 is applied to the application profile information associated with said each application indicating the UE 406 is authorised to access said each application. Additionally or alternatively, in step 443, determining whether one or more application(s) are authorised to be accessed by the UE 406 may further include, for each of the one or more application(s) associated with application profile information, determining the UE 406 is not authorised to access and/or use said each application when the user control policy(ies) associated with the UE 406 is applied to the personal information associated with said each application indicating the UE 406 is not authorised to access said each application. Additionally, step 443 may further include, for an application not associated with any application profile information, determining the UE 406 is authorised to access and/or use said application. Alternatively, step 443 may also further include, for an application not associated with any application profile information, determining the UE 406 is not authorised to access said application.
The application database 405 may be accessible by the apparatus 406a, e.g. accessible via another AS, where the application database 405 may include a plurality of records stored therein, where each record is associated with an application and includes the application profile information associated with said application. In step 442, the apparatus 406a may retrieve one or more application profile information associated with corresponding one or more applications. Alternatively or additionally, at least one of the one or more application(s) may include application profile information and, in step 442, retrieving the application profile information further includes extracting the application profile information from said at least one of the one or more application(s). For example, the application profile information may be included in the installation file of the application, or in a header associated with the data representative of the application, for stored in the application in any other form. Alternatively or additionally, the application profile information for an application may be retrieved directly from the developer of the application. Further, in step 441 , retrieving the one or more user control policy(ies) associated with the UE 406 may further include retrieving said one or more user control policy(ies) associated with the UE from a subscriber server (e.g. an HSS) or an AS hosting the user subscription or user profile associated with the UE. Additionally or alternatively, the user control policy(ies) includes one or more parental control policy(ies) associated the UE 406 and the application profile information associated with at least one of the one or more application(s) includes parental control information associated with said at least one of the one or more application(s). Other modifications of the invention may include the UE 406 including the functionality according to the invention in the operating system of the UE 406, or the functionality according to the invention in an installer application on the UE 406, or any other application. The UE 406 may be configured, for sending, to an AS for controlling access to one or more applications according to the invention, one or more request(s) for whether any installed one or more applications on the UE 406 are authorised to be accessed or used by the UE 406. Therefore, in case the user of UE 406 manages to get the installer file of an unauthorised application, the UE 406 will check whether the application is authorised and, if not, will reject the installation.
Alternatively, the UE 406 may be configured to perform the functionality of the AS for controlling access to one or more applications according to the invention and as described herein, whereby the UE 406 only requests the user control policy(ies) from the user control AS or directly from the HSS, and/or requests application profile information from a database 405 or parses the installation file for the application to determine whether any application profile information is present. Using this information, the UE 406 may be able to determine whether one or more application(s) installed on the UE 406 are authorised or not. The UE 406 may then refuse to install the application(s) or the UE 406 may uninstall the applications. Optionally, the UE may notify the user authorised to control the user control policy(ies).
Figure 5 is a schematic illustration of an example apparatus 500 according to the invention. The apparatus may be for use in controlling access to applications in the communications network. The communications network includes an IMS, an AS and a plurality of UEs, where at least one of the applications is associated with an application profile information. The apparatus 500 may include the functionality of a processor 501 , receiver 502, transmitter 503 and memory 504, the processor 501 being coupled to the receiver 502, the transmitter 503 and the memory unit 504. The memory unit 504 may contain instructions executable by said processor 501. The transmitter 503 is configured to transmit a message to the AS for access to one or more of the application(s). The receiver 502 is configured to receive, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information. The user subscription or profile may be associated with the UE that is stored in the network includes the user control policy(ies). Additionally or alternatively, the apparatus 500 may be configured to be used in a UE, associated with a UE, or used in a network entity operating on behalf of the UE. The apparatus 500 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
Alternatively or additionally, the apparatus 500 may be configured for use in controlling access to applications in the communications network. The communications network including the IMS and the plurality of UEs, where at least one of the applications is associated with application profile information. The apparatus 500 may include the functionality of a processor 501 , receiver 502, transmitter 503 and memory 504, the processor 501 being coupled to the receiver 502, the transmitter 503 and the memory 504. The memory 504 containing instructions executable by said processor 501. The processor 501 may be configured to trigger the apparatus 500 to determine whether a UE associated with the apparatus may access and/or use one or more of the application(s). The processor 501 or receiver 502 and transmitter 503 may be further configured to retrieve one or more user control policy(ies) associated with the UE. These may be retrieved from memory 504 in apparatus 501 (e.g. from a previous determination session) or from the network. The user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies). The processor 501 or receiver 502 and transmitter 503 may be further configured to retrieve application profile information associated with at least one of the one or more application(s). These may be retrieved from memory 504 in apparatus 501 (e.g. from a previous determination session) or from the network. The processor 501 may be further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications. The processor 501 is further configured to indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE. Additionally or alternatively, the apparatus 500 may be configured to be used in a UE, associated with a UE, or used in a network entity operating on behalf of the user. The apparatus 500 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d. Figure 6 is a schematic illustration of an example AS 600 according to the invention The AS 600 may be for use in controlling access to applications in a communications network. The communications network including an IMS, and a plurality of UEs. At least one of the applications is associated with an application profile information. The AS 600 may include the functionality of a processor 601 , receiver 602, transmitter 603 and memory 604, the processor 601 being coupled to the receiver 602, the transmitter 603 and the memory unit 604. The memory unit 604 containing instructions executable by said processor 601. The processor 601 and/or receiver 602 may be configured to receive a message associated with a UE of the plurality of UEs for access to one or more of the application(s). The processor 601 or receiver 602 and transmitter 603 may be further configured to retrieve one or more user control policy(ies) associated with the UE. These may be retrieved from memory unit 604 in AS 600 (e.g. from a previous determination session) or from the network. The user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies). The processor 601 of AS 600 may be further configured to determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications. The processor 601 and/or transmitter 603 of AS 600 is configured to send, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE. The AS 600 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
Figure 7 is a schematic illustration of an example network entity or AS 700 (e.g. an IMS CN Node) according to the invention. The network entity or AS 700 is for use in controlling access to applications in a communications network. The communications network including an IMS, a second AS and a plurality of UEs, where at least one of the applications is associated with an application profile information. The network entity or AS 700 may include the functionality of a processor 701 , receiver 702, transmitter 703 and memory 704, the processor 701 being coupled to the receiver 702, the transmitter 703 and the memory 704. The memory 704 containing instructions executable by said processor 701. The processor 701 and/or transmitter 703 of said network entity or AS 700 may be configured to transmit an authorisation request (or a request) associated with a UE of the plurality of UEs to the second AS. The authorisation request includes the identity of each of said one or more application(s) being accessed or used by said UE. The processor 701 and/or receiver 702 of the network entity or AS 700 is further configured to receive, from the second AS, data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile information. The user subscription or user profile associated with the UE can be stored in the network and includes the user control policy(ies). The AS 700 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d. Figure 8 is a schematic illustration of an example user control AS 800 according to the invention. The user control AS 800 is for use in controlling access to applications in a communications network. The communications network including an IMS, an AS associated with the applications, and a plurality of UEs, where at least one of the applications is associated with an application profile information. The user control AS 800 may include the functionality of a processor 801 , receiver 802, transmitter 803 and memory unit 804, the processor 801 being coupled to the receiver 802, the transmitter 803 and the memory unit 804. The memory unit 804 containing instructions executable by said processor 801. The processor 801 and/or receiver 802 of said user control AS 800 may be configured to detect IMS registration of a UE from the plurality of UEs. The processor 801 and/or receiver 802 and transmitter 803 of said user control AS 800 may be configured to retrieve user control policy(ies) associated with the UE from the user subscription or profile associated with the UE. These may be retrieved from memory unit 804 in AS 800 (e.g. from a previous determination session) or from the network (e.g. from an HSS). The user control policy(ies) are stored or associated with the user subscription or profile associated with the UE. The processor 801 and memory unit 804 of the user control AS 800 may be further configured to store the user control policy(ies) associated with the UE. The processor 801 and/or receiver 802 of the user control AS 800 may be configured to receive a request for the user control policy(ies) associated with the UE from the AS associated with the applications. The processor 801 and/or transmitter 803 of the user control AS 800 may be further configured to transmit, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications. The user control AS 800 may further include the functionality of any of the method(s) as described herein and/or with respect to Figures 2 to 4d.
The servers, UEs, network entities, apparatus and computing systems as described herein each may perform the methods and processes as described herein. The processors of such systems are configured to execute computer program instructions based on the methods and processes described herein, such instructions being contained in a computer-readable medium or non-transitory computer readable medium, such as memory. The computer program instructions may be read into memory from another computer-readable medium or from another device via a communication interface. The instructions contained in memory cause the processor of a client device, reputation system, server, or other such computer system to perform processes or methods as described herein. Alternatively or additionally, there is provided a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out one of more of the method(s) as described or the functionality of the servers, UEs, network entities, and apparatus as described. A carrier may be provided containing the computer program as described, where the carrier is one of an electronic signal, optical signal, radio signal, non-transistory computer readable medium, or computer readable storage medium. Alternatively or in addition to, hardwired circuitry may be used in place of or in combination with the computer program instructions to implement processes and methods consistent with the present invention. Examples of hardware circuitry may include, but are not limited to, semiconductor chips, integrated circuits, field programmable gate arrays, application-specific integrated circuits, electronically programmable integrated circuits and the like. Thus, the present invention is not limited to any specific combination of hardware circuitry and/or software.
Although the invention has been described in terms of example solutions or preferred embodiments as set forth above, it should be understood that these examples or embodiments are illustrative only and that the claims are not limited to only those examples or embodiments. Those skilled in the art will be able to make modifications and alternatives in view of the disclosure which are contemplated as falling within the scope of the appended claims. Each of the features, steps, servers or apparatus disclosed or illustrated in the present specification may be incorporated into the invention, whether alone or in any appropriate combination with any other feature, step, or node disclosed or illustrated herein.

Claims

CLAIMS:
1. A method for controlling access to applications in a communications network (300; 400), the communications network (300; 400) comprising an Internet Protocol Multimedia Subsystem, IMS, (302; 402) an application server, AS, (304; 304a; 404; 404a) and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, the method, performed by the AS (304; 304a; 404; 404a), comprising:
receiving a message (A1 ; 310; 320; 410; 420; 430) associated with a UE (306; 406) of the plurality of UEs for access to one or more of the application(s);
retrieving (A2; 31 1 ; 321 ; 41 1 ; 421 ; 431) one or more user control policy(ies) associated with the UE (306; 406), wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies);
determining (A3; 312; 322; 412; 422; 432) whether the one or more application(s) are authorised to be accessed by the UE (306; 406) based on the user control policies associated with the UE (306; 406) and the application profile information associated with at least one of the one or more application(s); and
sending (A4; 313; 323; 413; 423; 433), in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE (306; 406).
2. A method as claimed in claim 1 , wherein the step of determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information: determining the UE is authorised to access said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application; and
determining the UE is not authorised to access said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application.
3. A method as claimed in claims 1 or 2, wherein the step of determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for an application not associated with any application profile information, determining the UE is authorised to access said application.
4. A method as claimed in any one of claims 1 to 3, wherein the step of determining (312; 412) further comprises generating a list of authorised applications; and
the step of sending an indication further comprises sending (313; 413) data representative of the generated list of authorised applications.
5. A method as claimed in any one of claims 1 to 3, wherein the step of sending an indication further comprises:
sending a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s); and
sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
6. A method as claimed in claim 5, wherein:
The response message indicating the request for access was successful is a Session Initiation Protocol, SIP, successful response message; and
The response message indicating the request for access failed is a SIP client failure response message.
7. A method as claimed in claim 6, wherein the SIP successful response message is a SIP 200 OK message.
8. A method as claimed in any one of the preceding claims, wherein the step of receiving a message associated with the UE further comprises receiving a request (310; 410) for accessing the one or more application(s); and
the step of sending the indication further comprises sending (313; 413) data representative of the one or more application(s) authorised to be accessed and/or used by the UE for display to the user of the UE.
9. A method as claimed in claim 8, wherein the request is a Hypertext Transfer Protocol, HTTP, request (410), and the indication includes data representative of HTTP information (413) associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE.
10. A method as claimed in any one of the preceding claims, wherein the step of determining further comprises determining (322; 432) the one or more application(s) that are not authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more application(s); and
the step of sending an indication further comprises sending (323-324; 433-434) data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
1 1. A method as claimed in claim 10, wherein the step of receiving a message further comprises receiving a request (310; 320; 430) to retrieve at least one of the one or more application(s) from the AS; and
the step of sending an indication further comprises sending data representative (313; 323-324; 433-434) of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
12. A method as claimed in claim 11 , wherein the request to retrieve at least one of the one or more application(s) is a SIP request.
13. A method as claimed in any one of the preceding claims, wherein the step of receiving a message further comprises receiving an authorisation request (320) associated with the UE from the network, the authorisation request including the identity of each of said one or more application(s) being accessed by said UE; and the step of sending an indication further comprises sending data representative of whether the UE is authorised or not authorised (323) to access said one or more application(s) based on the user control policy(ies) of the UE.
14. A method as claimed in claim 13, wherein the authorisation request is from the IMS and is triggered by the IMS due to communications (319) over the network by one or more of the application(s) being accessed and/or used on the UE.
15. A method as claimed in claim 13, wherein the authorisation request is from a capabilities exchange AS in response to a capabilities exchange related to the one or more of the application(s) being accessed and/or used by the UE.
16. A method as claimed in any one of claims 13 to 15, wherein the identity of each of said one or more application(s) is based on IMS application reference identifiers of each of said one or more application(s).
17. A method as claimed in any preceding claim, wherein the communication network (400) further comprises an application database (405) accessible by the AS (404), the application database comprising a plurality of records, wherein each record is associated with an application and includes the application profile information associated with said application, wherein the step of determining further comprises accessing the application database and retrieving (412a) one or more applications based on the user control policy(ies) associated with the UE and the application profile information associated with the one or more applications.
18. A method as claimed in any preceding claim, wherein when one or more of the applications are not authorised to be accessed by the UE, sending a notification message indicating the one or more applications the UE is not authorised to access to another UE of a user authorised to control the user control policy(ies) associated with the UE.
19. A method as claimed in any preceding claim, wherein retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from an AS hosting the user subscription or user profile associated with the UE.
20. A method as claimed in any one of claims 1 to 18, wherein retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from another AS having access to the user control policy(ies) after the UE registered with the IMS.
21. A method as claimed in any one of claims 1 to 19, wherein the user control policy(ies) comprise one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
22. A method for controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, an application server, AS, and a plurality of user equipments, UEs, wherein at least one of the application(s) is associated with an application profile information, the method, performed by an apparatus, comprising:
transmitting a request message associated with a UE of the plurality of UEs to the AS for access to one or more of the application(s);
receiving, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed or used by the UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information, wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
23. A method as claimed in claim 22, wherein the step of receiving an indication further comprises receiving data representative of the one or more application(s) authorised to be accessed by the UE.
24. A method as claimed in claim 23, wherein the message comprises a Hypertext Transfer Protocol, HTTP, request, and the indication includes data representative of
HTTP information associated with the one or more application(s) authorised to be accessed by the UE for display to the user of the UE.
25. A method as claimed in any one of claims 22 to 24, wherein the step of receiving an indication further comprises receiving data representative that the UE is not authorised to access at least one of the one or more application(s) when at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
26. A method as claimed in claim 25, wherein the step of transmitting a message further comprises transmitting a request to retrieve at least one of the one or more application(s) from the AS; and
the step of receiving an indication further comprises receiving data representative of a rejection response when said at least one of the one or more application(s) is determined not authorised to be accessed by the UE.
27. A method as claimed in any one of claims 22 to 26, further comprising, in response to communication over the network by at least one application being accessed on the UE, receiving data representative of a rejection response when said at least one application is determined not authorised to be accessed by the UE based on the user control policy(ies) associated with the UE and the application profile information associated with the at least one application; and
blocking further communication over the network by said at least one application on the UE.
28. A method as claimed in any one of claims 22 to 27, wherein the user control policy(ies) comprise one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
29. A method as claimed in any one of claims 22 to 28, wherein the step of receiving the indication further comprises:
receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s); and
sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
30. A method for controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem,
IMS, an application server, AS, and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, the method, performed by an AS in the IMS, comprising:
transmitting an authorisation request associated with the UE to said AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE; and
receiving data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile, wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
31. A method as claimed in claim 30, wherein the authorisation request is triggered when the AS in the IMS detects to communications over the network by one or more of the application(s) being accessed or in use on the UE.
32. A method as claimed in claim 30, wherein the AS in the IMS is a capabilities exchange AS and the authorisation request is in response to a capabilities exchange related to the one or more of the application(s) capable of being accessed or used by the UE.
33. A method as claimed in any one of claims 30 to 32, wherein the identity of each of said one or more application(s) is based on IMS application reference identifiers of each of said one or more application(s).
34. A method as claimed in any one of claims 30 to 33, wherein the user control policy(ies) comprise one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
35. A method as claimed in any one of claims 30 to 34, wherein the step of receiving data representative of whether the UE is authorised or not further comprises: receiving a response message indicating the request for access was successful when the UE is determined to be authorised to access the one or more application(s); and
sending a response message indicating the request for access failed when the UE is determined to be unauthorised to access the one or more application(s).
36. A method for controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, an application server, AS, associated with the applications, and a plurality of user equipments, UEs, wherein a least one of the applications is associated with application profile information, the method, performed by another AS, comprising:
detecting IMS registration of a UE from the plurality of UEs; retrieving user control policy(ies) associated with the UE from the user subscription or profile associated with the UE, wherein the user control policy(ies) are previously stored or associated with the user subscription or profile associated with the UE;
storing the user control policy(ies) associated with the UE;
receiving a request for the user control policy(ies) associated with the UE from the AS associated with the applications; and
transmitting, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
37. A method as claimed in claim 36, wherein the user control policy(ies) comprise one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
38. A method for use in controlling access to applications in a communications network, the communications network including an Internet Protocol Multimedia Subsystem, IMS, and a plurality of UEs, wherein at least one of the applications is associated with application profile information, the method, performed by an apparatus, comprising the steps of:
triggering a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s);
retrieving one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies);
retrieving application profile information associated with at least one of the one or more application(s);
determining whether the one or more application(s) are authorised to be accessed or used by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications; indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE.
39. A method as claimed in claim 37, wherein the step of determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for each of the one or more application(s) associated with application profile information: determining the UE is authorised to access or use said each application when the user control policy(ies) associated with the UE is applied to the application profile information associated with said each application indicating the UE is authorised to access said each application; and
determining the UE is not authorised to access or use said each application when the user control policy(ies) associated with the UE is applied to the personal information associated with said each application indicating the UE is not authorised to access said each application.
40. A method as claimed in claims 38 or 39, wherein the step of determining whether one or more application(s) are authorised to be accessed by the UE further comprises, for an application not associated with any application profile information, determining the UE is authorised to access said application.
41. A method as claimed in any one of claims 38 to 40, wherein the communication network further comprises an application database (405) accessible by the apparatus, the application database comprising a plurality of records, wherein each record is associated with an application and includes the application profile information associated with said application, wherein the step of retrieving the application profile information further comprises retrieving one or more application profile information associated with the one or more applications.
42. A method as claimed in any one of claims 38 to 41 , wherein at least one of the one or more application(s) includes application profile information and the step of retrieving the application profile information further comprises extracting the application profile information from said at least one of the one or more application(s).
43. A method as claimed in any one of claims 38 to 42, wherein retrieving one or more user control policy(ies) associated with the UE further comprises retrieving said one or more user control policy(ies) associated with the UE from an subscriber server or an AS hosting the user subscription or user profile associated with the UE.
44. A method as claimed in any one of claims 38 to 43, wherein the user control policy(ies) comprise one or more parental control policy(ies) associated the UE and the application profile information associated with at least one of the one or more application(s) comprises parental control information associated with said at least one of the one or more application(s).
45. An application server, AS, for use in controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, the AS is configured to:
receive a message associated with a UE of the plurality of UEs for access to one or more of the application(s);
retrieve one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies);
determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications; and
send, in response to the message, an indication of whether the one or more application(s) are authorised to be accessed by the UE.
46. An apparatus for use in controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, an application, AS, and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, said apparatus is configured to:
transmit a request message associated with a UE to the AS for access to one or more of the application(s);
receive, in response to the transmitted message, an indication of whether the one or more application(s) are authorised to be accessed by a UE based on user control policies associated with the UE and an application profile information for each of the one or more application(s) that are associated with an application profile information, wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
47. An apparatus for use in controlling access to applications in a communications network, the communications network including an Internet Protocol Multimedia Subsystem, IMS, and a plurality of UEs, wherein at least one of the applications is associated with application profile information, said apparatus is configured to:
trigger a determination of whether a UE of the plurality of UEs may access and/or use one or more of the application(s);
retrieve one or more user control policy(ies) associated with the UE, wherein the user subscription or profile associated with the UE may be stored in the network and includes the user control policy(ies);
retrieve application profile information associated with at least one of the one or more application(s);
determine whether the one or more application(s) are authorised to be accessed by the UE based on the user control policies associated with the UE and the application profile information associated with at least one of the applications;
indicate, in response to the triggering, whether the one or more application(s) are authorised to be accessed or used by the UE.
48. An application server, AS, for use in controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, a second AS and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, said AS is configured to:
transmit an authorisation request associated with the UE to said second AS, the authorisation request including the identity of each of said one or more application(s) being accessed or used by said UE; and
receive, from the second AS, data representative of whether the UE is authorised or not authorised to access or use said one or more application(s) based on the user control policy(ies) of the UE and the application profile information for each of the one or more application(s) that are associated with an application profile information, wherein the user subscription or profile associated with the UE that is stored in the network includes the user control policy(ies).
49. A user control application server, AS, for use in controlling access to applications in a communications network, the communications network comprising an Internet Protocol Multimedia Subsystem, IMS, an AS associated with the applications, and a plurality of user equipments, UEs, wherein at least one of the applications is associated with an application profile information, said user control AS is configured to: detect IMS registration of a UE from the plurality of UEs;
retrieve user control policy(ies) associated with the UE from the user subscription or profile associated with the UE, wherein the user control policy(ies) are previously stored or associated with the user subscription or profile associated with the UE;
store the user control policy(ies) associated with the UE;
receive a request for the user control policy(ies) associated with the UE from the AS associated with the applications; and
transmit, in response to said request, said user control policy(ies) associated with the UE to the AS associated with the applications for use in determining whether the UE is authorised to access one or more application(s) based on the user control policy(ies) associated with the UE and the application profile information associated with at least one of the one or more applications.
50. A computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to any one of claims 1 to 44.
51. A carrier containing the computer program of claim 50, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium.
PCT/SE2014/050328 2014-03-19 2014-03-19 Application user control WO2015142233A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/SE2014/050328 WO2015142233A1 (en) 2014-03-19 2014-03-19 Application user control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2014/050328 WO2015142233A1 (en) 2014-03-19 2014-03-19 Application user control

Publications (1)

Publication Number Publication Date
WO2015142233A1 true WO2015142233A1 (en) 2015-09-24

Family

ID=50513404

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2014/050328 WO2015142233A1 (en) 2014-03-19 2014-03-19 Application user control

Country Status (1)

Country Link
WO (1) WO2015142233A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106604260A (en) * 2015-10-20 2017-04-26 中兴通讯股份有限公司 Application downloading method and device
CN107623781A (en) * 2017-08-31 2018-01-23 普联技术有限公司 Control method for preventing indulging and system
CN113992632A (en) * 2020-07-09 2022-01-28 华为技术有限公司 Method and device for managing application

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2093970A1 (en) * 2008-03-21 2009-08-26 Koninklijke KPN N.V. Call service handling in an IMS-based system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2093970A1 (en) * 2008-03-21 2009-08-26 Koninklijke KPN N.V. Call service handling in an IMS-based system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia Subsystem (IMS) based Packet Switch Streaming (PSS) and Multimedia Broadcast/Multicast Service (MBMS) User Service; Protocols (Release 12)", 3GPP STANDARD; 3GPP TS 26.237, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG4, no. V12.0.0, 19 September 2013 (2013-09-19), pages 1 - 151, XP050712350 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106604260A (en) * 2015-10-20 2017-04-26 中兴通讯股份有限公司 Application downloading method and device
CN106604260B (en) * 2015-10-20 2021-12-21 中兴通讯股份有限公司 Application downloading method and device
CN107623781A (en) * 2017-08-31 2018-01-23 普联技术有限公司 Control method for preventing indulging and system
CN113992632A (en) * 2020-07-09 2022-01-28 华为技术有限公司 Method and device for managing application
EP4181433A4 (en) * 2020-07-09 2023-12-06 Huawei Technologies Co., Ltd. Application management method and apparatus
CN113992632B (en) * 2020-07-09 2025-01-17 华为技术有限公司 Method and device for managing applications

Similar Documents

Publication Publication Date Title
US11641569B2 (en) Service sharing between devices
CN106717041B (en) Service restriction and selection control for enhanced internet protocol multimedia subsystem for mobile devices roaming in foreign networks
CN107113312B (en) Call distribution of session initiation protocol internet protocol multimedia subsystem to multiple associated devices
EP2425647B1 (en) Managing undesired service requests in a network
US9043928B1 (en) Enabling web page tracking
US9888290B1 (en) Service denial notification in secure socket layer (SSL) processing
CN106575343B (en) Communication operation is triggered based on the relationship between neighbouring client device determined by client
US9137327B2 (en) Dynamic consent engine
KR101891639B1 (en) SECURITY FOR ACCESS TO THE IP MULTIMEDIA SUBSYSTEM (IMS) WITH WEB REAL TIME COMMUNICATION (WebRTC)
US20160119764A1 (en) Application download notification in hierarchical groups of consumer users of mobile devices
WO2015142233A1 (en) Application user control
WO2010121645A1 (en) Priority service invocation and revocation
US20150096052A1 (en) Children's Online Personal Info Privacy Protection Service
US20050286721A1 (en) Providing content in a communication system
GB2532951A (en) Device management user centric identity for security protection
WO2015147712A1 (en) Application ratings among contacts using capability exchange mechanisms
WO2018109256A1 (en) User identification in mobile communications system
US20120255008A1 (en) Method of Handling Malicious Application in Telco's Application Store System and Related Communication Device
US9615256B2 (en) Method and apparatus for providing an access to a tethering service via an endpoint device
KR20160075655A (en) Data processing method, device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14718188

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14718188

Country of ref document: EP

Kind code of ref document: A1