[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

EP3017394A2 - A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof - Google Patents

A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof

Info

Publication number
EP3017394A2
EP3017394A2 EP14815864.5A EP14815864A EP3017394A2 EP 3017394 A2 EP3017394 A2 EP 3017394A2 EP 14815864 A EP14815864 A EP 14815864A EP 3017394 A2 EP3017394 A2 EP 3017394A2
Authority
EP
European Patent Office
Prior art keywords
widget
secure
application
electronic device
mobile electronic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP14815864.5A
Other languages
German (de)
French (fr)
Inventor
Laurent Renard
Gregory Puente-Castan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Toro Dev Ltd
Original Assignee
Toro Dev Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US13/934,726 external-priority patent/US8958746B2/en
Priority claimed from US13/964,680 external-priority patent/US8942672B2/en
Application filed by Toro Dev Ltd filed Critical Toro Dev Ltd
Publication of EP3017394A2 publication Critical patent/EP3017394A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/629Protecting access to data via a platform, e.g. using keys or access control rules to features or functions of an application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • G06Q20/105Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems involving programming of a portable memory device, e.g. IC cards, "electronic purses"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3227Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3278RFID or NFC payments by means of M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • G06Q20/38215Use of certificates or encrypted proofs of transaction rights
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/387Payment using discounts or coupons
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • NFC provides intuitive, simple, and safe communication between electronic devices.
  • NFC is both a "read” and “write” technology. Communication between two NFC-compatible devices occurs when they are brought within four centimeters of one another; a simple wave or touch can establish an NFC connection, which is then compatible with other known wireless technologies such as Bluetooth or Wi-Fi.
  • the underlying layers of NFC technology follow universally implemented ISO, ECMA, and ETSI standards. Because the transmission range is so short, NFC-enabled transactions are inherently secure. Also, physical proximity of the device to the reader gives users the reassurance of being in control of the process.
  • NFC can be used with a variety of devices, from mobile phones that enable payment or transfer information, to digital cameras that send their photos to a TV set with just a touch.
  • the possibilities are endless, and NFC is sure to take the complexities out of today's increasingly sophisticated consumer devices and make them simpler to use.
  • Still another object of the present invention is to provide a mobile electronic device to use the widgets in NFC transactions.
  • the present invention provides a mobile integrated distribution and transaction system comprising: a server having a widget generator for creating a widget having a certificate; a communication interface for distributing the widget and retrieving the widget information associated with NFC transactions; and at least one mobile electronic device having a transaction terminal comprising an NFC modem and at least one secure element divided into a plurality of secure domains, and a virtual machine for managing the widget and changing the widget information while the NFC modem is enabling the NFC transactions with the secure element.
  • the present invention provides a mobile distribution system comprising: a widget generator for creating a widget having a certificate; and a communication interface for distributing the widget to a mobile electronic device with a transaction terminal having at least one secure element for storing a plurality of secure applications, and retrieving the widget information from the mobile electronic device using the transaction terminal for NFC transactions.
  • the present invention provides a mobile distribution method, comprising the following steps: generating a widget having a certificate; distributing the widget to a mobile electronic device with a transaction terminal having at least one secure element for storing at least one secure application; and retrieving the widget information from the mobile electronic device on NFC transactions enabled by one of the secure element in use of the transaction terminal.
  • the present invention provides a mobile transaction system to use a widget on wireless transactions, comprising: means for receiving widgets, each widget having a certificate displays multimedia content associated with a secure application; a graphical user interface for displaying the widgets; means for selecting one of the widgets on the graphical user interface; and means for transmitting the widget information while enabling the wireless transactions with a secure element.
  • the present invention provides a mobile transaction method to use a widget on NFC transactions, comprising: receiving widgets, where each widget has a certificate; displaying the widgets on a graphical user interface; selecting one of the widgets on the graphical user interface; and changing the widget information while an NFC modem is enabling the NFC transactions with a secure element.
  • the aforementioned method can be implemented by a software installed on a mobile electronic device comprising the NFC modem and the graphical user interface,
  • the aforementioned method can be executed by computer-executable instructions stored in a computer-readable media.
  • the present invention provides a mobile electronic device for NFC services, comprising: a transaction terminal having an NFC modem for transmitting radio frequency (RF) signals associated with a contactless data of NFC transactions, and at least one secure element for storing at least one secure application; and a virtual machine for authenticating and managing a plurality of widgets, each widget having a certificate, and changing the widget information while the NFC modem is enabling the NFC transactions with the secure element.
  • RF radio frequency
  • the aforementioned mobile electronic device can be a PDA or an iPod or a cell phone or a hand-held device or a multimedia player.
  • the present invention provides a mobile electronic device for NFC services, composed of: a wireless modem for receiving a widget with a certificate from a wireless network; at least one secure element for storing at least one secure application; an NFC modem for transmitting radio frequency (RF) signals associated with a contactless data of NFC transactions; a graphical user interface for displaying the widget; a memory for storing the widget; and a processor performing a virtual machine for managing the widget(s) and changing the widget(s') information while the NFC modem is enabling the NFC transactions with the secure element.
  • RF radio frequency
  • associated information of various transaction applications can be displayed on a mobile electronic device through widgets having a certificate
  • NFC transactions can be enabled by a secure element for storing a secure application
  • information associated with a secure application can be received or processed by the widgets.
  • the secure element manager can be configured to create an instance of a configured driver enabling access to the secure element in response to a request by a widget to access the secure element, with the secure element manager being configured to provide access to a plurality of secure elements.
  • the system can further include a content handler configured to provide one or more of the following: communication between a third-party application installed on the mobile electronic device and the widgets; and communication between the third-party application installed on the mobile electronic device and the corresponding secure applications stored in the secure element.
  • the system can further comprise a content handler plug-in, the content handler plug-in being implemented in the third-party application and enabling the third-party application to operatively communicate with the content handler.
  • the content-handler plug-in can further comprise a unified reference locator (URL) of the content handler for connection to the content handler, and widget identifiers associated with specific widgets, wherein the widget identifier can be presented to the content handler via the URL to enable access by the third-party application to the widget.
  • URL unified reference locator
  • the virtual machine can be configured to perform one or more of the following: initiate a download of a widget from a widget distribution interface over a wireless network when the a widget identifier associated with the widget is presented to the content handler by the third-party application, but the at least one widget is not presently installed on the mobile electronic device; and initiate a download of the third-party application from a third-party application distribution interface over the wireless network when the widget attempts to communicate with the third-party application, but the third-party application is not presently installed on the mobile electronic device.
  • a method of providing a mobile distribution system for use on a mobile electronic device having a particular mobile operating system, a processor, memory, and code in the memory for implementing a particular mobile operating system in the processor, and being operative ly coupled to a secure element having one or more secure applications.
  • a server uses code to generate a mobile client for distribution over a wireless network to the mobile electronic device, the mobile client including at least the following: a virtual machine configured to execute in the processor to provide a runtime environment capable of running a plurality of widgets and configured to enable the widgets to be operable on any of a plurality of mobile operating systems including the particular mobile operating system.
  • a secure element manager is configured to enable at least one widget of the plurality of widgets to read from or write to the secure element by providing the at least one widget with access to a corresponding one of the one or more secure applications stored in the secure element, and by enabling the mobile electronic device to perform at least one NFC transaction using the corresponding secure applications.
  • the secure element manager can be configured to create an instance of a configured driver enabling accessing to the secure element in response to a request by the widget to access the secure element.
  • the secure element manager can be configured to provide access to a plurality of secure elements. The mobile client can then be distributed to
  • a method for providing access control for widget management on a mobile electronic device can include a mobile electronic device having a processor, a memory, code in the memory for implementing in the processor a virtual machine, and an NFC transceiver.
  • the mobile electronic device can be operatively coupled to a secure element and be in wireless communication with a server over at least one wireless network, the server having a server processor and a server memory.
  • the method can include generating, by the server, a widget having a widget certificate and associating, by the server, the widget certificate with application identification (AID) information corresponding to at least one secure application stored in the secure element.
  • AID application identification
  • the method further includes referencing, by the server, the widget certificate and the associated AID information in an access control (AC) file having an AC file certificate, providing, by the server, the AC file to the mobile electronic device over the wireless network, and configuring the widget certificate and the AC file for authentication.
  • the method further includes determining whether to provide the widget with access to the at least one secure application to enable the at least one secure application to perform at least one NFC transaction.
  • the virtual machine in response to the authentication of the widget certificate and the AC file certificate, is configured to provide the widget with access to the at least one secure application when either (a) the widget specifies the associated AID information of the at least one secure application referenced in the AC file; or (b) the widget certificate referenced in the AC file matches the authenticated widget certificate.
  • the method can further include updating the AC file when a widget is added to, modified on, or removed from the mobile electronic device.
  • the method can further include configuring the widget certificate for authentication comprises verifying the widget certificate by the virtual machine upon distribution of the widget to the mobile electronic device; and configuring the AC file for authentication comprises verifying the AC file certificate by the virtual machine upon providing the AC file to the mobile electronic device.
  • the AID information can comprise an application identifier and at least one access control flag, and further comprise configuring the virtual machine to filter widget access to the at least one secure application based on the at least one access control flag.
  • the method can include displaying via the widget multimedia content associated with the at least one secure application to which access has been provided based on the at least one access control flag, the at least one access control flag can be a payment flag, an identification flag, and/or a communication flag.
  • the method can include dividing the secure element into a plurality of secure domains, and storing the at least one secure application in a respective secure domain.
  • the method can further include configuring the widget to respond to the at least one NFC transaction occurring by retrieving information on the at least one NFC transaction associated with the secure application.
  • the at least one secure application can include at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, or a ticketing application.
  • the at least one secure element can include at least one of a secure SIM card, a secure memory card, and secure internal memory.
  • a system in accordance with the method of providing widget access control management on a mobile electronic device is also provided.
  • Fig. 1 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC service in accordance with the present invention.
  • Fig. 2 shows a block diagram of a transaction terminal in accordance with the present invention.
  • Fig. 3 A shows a schematic block diagram illustrating the software and the hardware of the mobile electronic device.
  • Fig. 3B shows a schematic block diagram illustrating the mobile electronic device of the Fig. 3 A communicating with the bank server for receiving widgets and enabling a transaction communication
  • Fig, 4 shows a schematic diagram illustrating a plurality of applied widgets displayed on the graphical user interface of the mobile electronic device in accordance with the present invention.
  • Fig. 5 shows a schematic block diagram illustrating the various states of a widget in accordance with the present invention.
  • Fig. 6 is a flow chart showing a mobile distribution method in accordance with the present invention.
  • Fig. 7 is a flow chart showing a mobile transaction method in accordance with the present invention.
  • Fig. 8 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC services in accordance with embodiments of the present invention.
  • Fig. 9 shows a schematic block diagram illustrating elements of the software and the hardware of the mobile electronic device in accordance with embodiments of the present invention.
  • Fig. 10 is a flow chart showing a mobile distribution method in accordance with embodiments of the present invention.
  • Fig. 1 1 shows a system architecture diagram of an integrated distribution and transaction system for NFC services on mobile electronic devices in accordance with embodiments of the present invention.
  • Fig. 12 is a flow chart showing a method for providing access control for widget management on a mobile electronic device in accordance with embodiments of the present invention.
  • Fig. 13 A and Fig. 13B show exemplary representations of a widget and an Access Control file in accordance with embodiments of the present invention.
  • Fig. 1 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC service in accordance with the present invention.
  • the mobile integrated distribution and transaction system for NFC service of the present invention comprises a server 10 comprising a communication interface 11 communicated with a wireless network 30 and executes a widget lifecycle management platform 12.
  • the widget lifecycle management platform 12 comprises a widget generator for creating a widget.
  • the widget may display multimedia content associated with a secure application.
  • the widget generator is a software development kit (SDK) of the widget lifecycle management platform 12, and the widget is an independent application that is developed using SDK and that can only be run on a virtual machine 21 of a mobile electronic device 20.
  • SDK software development kit
  • the widget is assigned a certificate which allows the widget to enable a NFC transaction with a secure element for storing a plurality of secure applications.
  • the widget is assigned a lifecycle, and the widget lifecycle management platform 12 retrieves the widget information used on the NFC transaction through the communication interface 11 during the valid lifecycle.
  • the widget is assigned an identification number representing an account for conducting the NFC transactions under a secure application.
  • the secure application is, but not limited to, a transport application or a credit/debit application or a coupon application or a secure access application or a loyalty card application or an electronic purse application or a ticketing application,
  • the widget lifecycle management platform 12 of the mobile integrated and transaction system of the present invention uses the communication interface 11 to distribute a plurality of widgets to at least one mobile electronic device 20 through the wireless network 30.
  • the widget lifecycle management platform 12 also uses the communication interface 1 1 to retrieve the widget information used on the NFC transaction from the mobile electronic device 20 so as to analyze the information associated with NFC transactions received by the widget.
  • the transaction terminal 22 allows the mobile electronic device 20 to enable a card emulation mode transaction with a point-of-sales (POS) terminal 32, so that the mobile electronic device 20 changes the widget information or that the widget receives the information associated with transactions.
  • the transaction terminal 22 allows the mobile electronic device 20 to enable a reader mode transaction with a radio-frequency identification (RFID) tag 33, so that the mobile electronic device 20 changes the widget information or that the widget receives the information associated with transactions.
  • RFID radio-frequency identification
  • an NFC transaction enabled by the mobile electronic device 20 includes, but is not limited to, a peer-to-peer transaction, a card emulation mode transaction, and a reader mode transaction.
  • a mobile electronic device 20 for NFC services comprises a transaction terminal 22 as shown in Fig. 2 and a virtual machine 21.
  • the transaction terminal 22 comprises: an NFC modem for transmitting radio frequency (RF) signals associated with contactless data of NFC transactions or for transmitting data associated with NFC transactions; and at least one secure element divided into at least one secure domain where a specific secure application is located or stored.
  • the secure element is implemented by a SIM card for a cell phone or a secure memory card, such as a micro-SD card.
  • the virtual machine 21 is installed on the mobile electronic device 20 for authenticating and managing a plurality of widgets, and each widget has a certificate.
  • the virtual machine 21 After the certificate is authenticated by the virtual machine 21, the virtual machine 21 allows the widget to access the secure element 225.
  • the widget changes the widget information or retrieves information under a corresponding secure application stored in one of secure domains while the NFC modem is enabling the NFC transactions with the secure element 225.
  • Fig. 2 shows a block diagram of a transaction terminal in accordance with the present invention.
  • the transaction terminal 22 is implemented on a mobile electronic device 20.
  • the mobile electronic device 20 is a PDA or an iPod or a cell phone or a hand-held device or a multimedia player.
  • the mobile electronic device 20 comprises the transaction terminal 22 only, exclusively used for conducting NFC transactions under the control of a secure application located or stored in a secure domain.
  • a mobile electronic device 20 comprises a transaction terminal 22.
  • the transaction terminal 22 is used for NFC transactions, composed of a wireless modem 226, at least one secure element 225, an NFC modem 224, a memory 223, a graphical user interface 222, and a processor 221.
  • the wireless modem 226 can use a wireless protocol such as 3G, GPRS, Bluetooth, or WiFi or any other wireless communication protocol such that the mobile electronic device 20 communicates with a wireless network 30, and the widget is distributed to the mobile electronic device 20 through the wireless modem 226 of the transaction terminal 22.
  • the secure element 225 is a hardware embedded into the mobile electronic device 20 and is divided in a plurality of secure domains where secure applications are located or stored.
  • the mobile electronic device 20 is a cell phone
  • the secure element 225 is the SIM card for a cell phone or a secure memory card which can be plugged into the memory card slot of the mobile electronic device 20.
  • such secure memory card is a micro-SD card.
  • the mobile electronic device 20 may comprises a plurality of secure elements 225.
  • both a SIM card and a memory card are embedded into a NFC mobile phone.
  • the SIM card and the memory card are divided into a plurality of secure domains for storing a plurality of secure applications, respectively.
  • secure element 225 can be operatively connected to the mobile electronic device 20 as described above. In some embodiments, secure element 225 can be operatively connected to the mobile electronic device 20 without being embedded or plugged into the mobile electronic device 20. For example, the secure element 225 may be wirelessly connected to the mobile electronic device 20 via any appropriate wireless communication means (e.g., Bluetooth, WiFi, RF, etc.) Once the secure element 225 is operatively connected to the mobile electronic device 20 using any of the above means, NFC transactions can be conducted under the control of a secure application located or stored in a secure domain of the secure element 225.
  • any appropriate wireless communication means e.g., Bluetooth, WiFi, RF, etc.
  • the NFC modem 224 comprises a built-in NFC antenna (not shown) for NFC transactions and is electronically connected to the secure element 225.
  • the processor 221 of the transaction terminal 22 executes software program instructions of a widget management platform, and is electrically connected to the wireless modem 226 to receive the widgets distributed by the server 10 or to transmit information associated with NFC transactions received by the widget back to the server 10.
  • the widget is assigned an identification number representing an account for conducting NFC transactions under the control of a secure application stored in the secure element, and the information transmitted back to the server 10 from the widget includes the identification number.
  • the processor 221 electronically connects to the secure element 225 and the NFC modem 224 to access the secure element 225 for enabling the NFC transactions.
  • the processor 221 also electronically connects to the memory 223 for storing the received widget and connects to the graphical user interface 222 for displaying multimedia content associated with a secure application represented by the widget.
  • the widget assigned a certificate is corresponding to a specific secure application stored in a secure domain.
  • the certificate will be authenticated by the widget management platform provided by the virtual machine 21. If the certificate passes the authentication, the virtual machine 21 will allow the widget to access the secure element 225 to enable the NFC modem 224 to conduct the NFC transactions under a secure application, so that the widget information is changed or that the transaction information associated with a secure application is received by the widget.
  • a secure application is located or stored in a secure domain.
  • a loyalty card application is located in a secure domain which enables a loyalty card transaction with the secure element 225.
  • an electronic purse application is located in a secure domain which enables an electronic purse transaction with the secure element 225.
  • a coupon application is located in a secure domain which enables a coupon transaction with the secure element 225.
  • the widget is assigned a certificate and a lifecycle. During the valid lifecycle, if the certificate passes the authentication of the virtual machine 21, it will allow the widget to access the secure element 225 to enable the NFC modem 224 to conduct the NFC transactions. The widget also transmits information associated with the NFC transaction back to the server 10 through the wireless modem 226 during the valid lifecycle. In an exemplary embodiment, the widget displays multimedia content associated with a coupon application and is assigned a lifecycle associated with the coupon. The widget is distributed to the mobile electronic device 20, which uses the coupon information of the widget through NFC transactions under the coupon application during the valid lifecycle of the coupon.
  • Fig. 3A shows a schematic block diagram illustrating the software and the hardware of the mobile electronic device.
  • the virtual machine 21 manages the widget received by the mobile electronic device 20 from the server 10, and authenticates the certificate of the widget to allow the widget to communicate with the transaction terminal 22.
  • Each widget displays multimedia content associated with a secure application; for example, it may be a widget associated with AirFrance, VISA, or EasyCard applications.
  • the virtual machine 21 may be installed on various mobile electronic devices 20 (such as a PDA, an iPod, a mobile phone, a handheld device, or a multimedia player) and provides a widget management platform such that the authenticated widget accesses the secure element 225 of the transaction terminal 22 to enable NFC transactions.
  • Fig. 5 shows a schematic block diagram illustrating the various states of a widget in accordance with the present invention.
  • the widget used in the mobile integrated distribution and transaction system of the present invention has a plurality of states.
  • the initial state of the widget is "not activated” when the widget is created on the server.
  • the state of the widget will change to "deleted” if the widget is assigned a lifecycle but the state of the widget remains as “not activated” after the valid lifecycle is past.
  • the mobile electronic device 20 requests the server 10 for downloading a widget.
  • the state of the widget is “distributed” when the widget is being distributed to the virtual machine 21 of the mobile electronic device 20 before the widget is activated successfully.
  • the state of the widget will change from “distributed” to “activated” when the widget is authenticated by the virtual machine 21 and then successfully accesses the corresponding secure application stored in the secure elements 225.
  • the virtual machine 21 allows the widget to access the secure element 225 of the transaction terminal 22 to activate the NFC modem 224 when the user selects a widget on the graphical user interface 222.
  • the widget then reacts to an event triggered by the NFC modem 224 such that the state of the widget changes from “activated” to "in use” under a specific secure application corresponding to the widget, and the event is an interaction associated with NFC transactions.
  • the state of the widget will return from "in use” to "activated” after the widget completes processing the information on NFC transactions.
  • Fig. 6 is a flow chart showing a mobile distribution method in accordance with the present invention.
  • the mobile distribution system implements a mobile distribution method, the method comprising the following steps: creating a widget displaying multimedia content associated with a secure application such as a transport application or a credit/debit application or a coupon application or a secure access application or a loyalty card application or an electronic purse application or a ticketing application.
  • the widget only executes on a virtual machine 20 of the mobile electronic device 20 or installed on the mobile electronic device 20.
  • the step of creating a widget further comprises: initializing a state of the widget as "not activated" when the widget is created; assigning a certificate to the widget, wherein the widget is associated with a specific secure application such as a transport application or a credit/debit application, and the certificate allows the widget authenticated by the virtual machine 21 to access the secure element 225 embedded or plugged into the transaction terminal 22 to enable NFC transactions to retrieve information under a specific secure application; assigning a lifecycle to the widget, wherein the widget downloaded to the mobile electronic device 20 may process or retrieve information on NFC transactions during the valid lifecycle and transmit information back to the server 10; and assigning an identification number representing an account for conducting NFC transactions under the control of a secure application corresponding to the widget.
  • the method comprises the following step: recording the certificate, lifecycle and the identification number assigned to the widget to gather statistics for the mobile distribution system or to analyze the widget.
  • the mobile distribution system further comprises the following steps: distributing the widget to the mobile electronic device 20 and changing the state of the widget from "not activated” to "distributed", wherein the mobile electronic device 20 has a transaction terminal 22 comprising at least one secure element 225 for storing a secure application and a virtual machine 21 ; and retrieving the widget information from the mobile electronic device 20 while the state of the widget is "activated", wherein the widget information is gathered or updated by the widget while the mobile electronic device 20 enables NFC transactions.
  • the mobile distribution method further comprises the following step: analyzing the information gathered or updated by the widget for transaction accounting according to the recorded lifecycle and identification number.
  • Fig. 7 is a flow chart showing a mobile transaction method in accordance with the present invention.
  • the mobile transaction method is implemented by the mobile transaction system of the present invention or by the mobile electronic device 20 as shown in Fig. 1, wherein the mobile electronic device comprises the transaction terminal 22 as shown in Fig. 2.
  • the mobile transaction method is implemented by a software installed on the mobile electronic device 20 comprising the NFC modem and the graphical user interface 222.
  • the mobile transaction method comprises the following steps: receiving the widgets distributed by the server 10, each widget having a certificate, and/or a lifecycle and a identification number, wherein the certificate allows the widget authenticated by the virtual machine 21 to access the secure element 225 embedded or plugged into the transaction terminal 22 to enable NFC transactions, wherein the identification number represents an account for conducting NFC transactions under a secure application, and wherein the widget information is changed while the NFC modem is enabling the NFC transactions during the valid life cycle; and authenticating the certificate of the widget to determine whether the widget can access the secure element 225 of the transaction terminal 22, wherein the widget is activated if the widget successfully accesses the secure element 225 to retrieve information from a specific secure application stored in the secure element, and the state of the widget changes from "distributed" to "activated”.
  • the mobile transaction method further comprises: displaying the widgets on the graphical user interface 222, wherein the widgets displays multimedia content associated with a secure application; managing the widgets; selecting one of the widgets on the graphical user interface 222 to use, share or update such that the selected widget reacts to an event, which is an interaction associated with NFC transactions, triggered by the NFC modem 224 and changing the state of the widget to "in use", "on share” or “updated”; Using the selected widget to communicate with the secure element; changing or transmitting the widget information while the NFC modem 224 is enabling NFC transactions with the secure element 225; and changing the state of the widget back to "activated" after the widget is used, shared or updates the received information on NFC transactions.
  • mobile client 40 is configured with a plurality of compatible extensions, protocols and/or drivers already integrated. This allows service providers, for example, the flexibility to design a single OS -independent and mobile electronic device- independent widget using the SDK for deployment on a plurality of different OSs and devices without requiring the creation of many varying iterations of the same widget to meet the requirements of each.
  • the runtime environment which is executed in the processor, implements the core behavior of the programming code when invoked by a widget.
  • the virtual machine 21 can then implement an action on the mobile electronic device 20, such as, for example, causing a connection to a secure application in the SE. Additionally or alternatively, the virtual machine 21 can translate the invocation into an invocation of the particular OS of the mobile electronic device 20, such as for causing the OS of the mobile electronic device 20 to connect directly to the wireless network, etc.
  • the SE manager 23 is configured to enable a widget to read from and/or write to the SE, provided the widget certificate has been authenticated by the virtual machine 21.
  • the SE manager 23 enables the authenticated widget to access a secure application stored in the SE, which in some embodiments enables an NFC transaction to be performed by the mobile electronic device 20. This can be accomplished by the SE manager 23 first abstracting all the heterogeneous interfaces for accessing the SE into a platform-independent interface used by the widget. While the SE manager 23 is capable of providing communication between a plurality of widgets and a plurality of SEs, it is typically configured to provide access to a single SE using a single channel at any given time. Therefore, concurrent connections are blocked until the thread owning the connection releases it.
  • mobile client 40 can also include extensions manager 24.
  • Extensions manager 24 is responsible for managing all the extensions present in mobile client 40, and for providing an interface between extensions and the mobile client 40.
  • Extensions incorporated into mobile client 40, and managed by extensions manager 24 can include extensions common to a plurality of OS platforms (i.e. RIM, J2ME, Nokia, Android, etc.), and Application Protocol Data Unit (APDU) extensions.
  • Extensions manager 24 can also manage OS-specific extensions. Extensions manager 24 provides communication between virtual machine 21 and SE manager 23, and the extensions.
  • Mobile client 40 can also include content handler 25.
  • Content handler 25 is configured to provide communication between native third-party applications (such as third-party application 50) installed on the mobile electronic device 20 and the widgets.
  • Content handler 25 is also configured to provide communication between third-party applications and secure applications stored in the SE.
  • content handler 25 is responsible for managing incoming connections from third-party applications attempting to connect to a widget or secure application, and outgoing connections to third-party applications.
  • content handler 25 maintains a list of actions available for third-party applications that are allowed to connect to widgets and/or secure applications.
  • managing connections and interactions between third-party application 50 and widgets/secure applications is accomplished by employing a content handler plug-in 51.
  • Content handler plug-in 51 is a specific library that must be implemented in third-party application 50 in order to be able to communicate and interact with the mobile client 40 through the content handler 25.
  • the content handler plug-in 51 can comprise several parameters including: a unified reference locator (URL) of the content handler 25 for connection with the content handler 25; a widget identifier associated with each widget with which the third-party application 50 would like to communicate; and/or the list of actions available to the third-party application 50 for interacting with the mobile client 40.
  • URL unified reference locator
  • third party application 50 is configured with the identity of the widget and/or secure application (stored in the SE) with which it can interact. Only by calling the specific widget and/or secure application, will content handler 25 enable communication with widgets via virtual machine 21 , and with secure applications via secure element manager 23.
  • a widget is called by third-party application 50, but the widget is not present in the memory of mobile electronic device 20
  • content handler 25 can initiate a download of the widget from the widget distribution interface 13 over wireless network 30 via wireless modem 226.
  • third-party application 50 is called by a widget, but the third-party application 50 is not present in the memory of mobile electronic device 20
  • content handler 25 can initiate a download of the third-party application 50 from the source server of the third-party application developer over wireless network 30 via wireless modem 226.
  • notifications can be provided via the mobile electronic device to the user that additional resources are needed to implement an action that has commenced at the mobile electronic device 20.
  • such notifications can include a prompt to the user to accept having such resources downloaded to the mobile electronic device.
  • a widget can be accessed directly from third-party application 50 without a mobile device user having to close the third-party application 50 and open the mobile client 40 in order to complete an NFC transaction via NFC transceiver 224.
  • Third-party application 50 may, for example, require information that can be provided directly from one or more widgets (e.g. club membership information from a club card widget, location data from a GPS enabled widget, and/or payment information from a payment widget) in order to complete an NFC transaction, but does not require the full functionality of the associated secure applications.
  • an NFC transaction can be initiated and concluded from within the third-party application 50 while maintaining the security and integrity of the secure element, by providing third-party application 50 with access to the secure application via content handler 25 and content handler plug-in 51. This is in lieu of suspending the third-party application 50 in order to open a mobile wallet, for instance. Similarly, third-party application 50 can be accessed directly by the widget without the user having to leave or close the mobile client 40.
  • third-party application 50 which can be managed by settings established in the mobile client 40
  • similar reciprocal user access/functionality can be employed between third-party application 50 and a secure application located in the SE as between the widgets and the third-party application 50. This can occur, for example, when a mobile device user employs third-party application 50 (e.g., of a retail store) to browse for a product or service, but desires to pay for the product or service via NFC transaction, using a secure application provided by a trusted payment provider (e.g., VISA).
  • a trusted payment provider e.g., VISA
  • an NFC transaction can be initiated and concluded from within the third-party application 50 while maintaining the security and integrity of the secure element, by providing third-party application 50 with access to the secure application via content handler 25 and content handler plug-in 51.
  • data exchange is selectively enabled between widgets/secure applications and third-party applications using the content handler system.
  • mobile client 50 can provide for secure and seamless management of NFC transactions between mobile electronic device 20 and other NFC-enabled devices 31 and/or POS terminals 32, using NFC transceiver 224, regardless of whether the transaction was initiated via the widget, the secure application in the SE, or a third-party application.
  • Fig. 10 a flow chart showing a mobile distribution method in accordance with certain embodiments of the present invention is provided.
  • mobile client 40 is generated and includes the plurality of OS-specific and hardware-specific information and requirements which are embedded into mobile client 40 before deployment on each of a plurality of mobile electronic devices 20.
  • the mobile client can comprise code such as a set of instructions executable in a processor of the mobile electronic device 20 once deployed.
  • mobile client 40 is distributed to one or more mobile electronic devices 20 across the wireless network 30 in a conventional manner, or is otherwise installed on the mobile electronic device 20 (e.g., by the device manufacturer).
  • OS-independent widgets are developed (e.g., by service providers, mobile network operators, etc.) using the SDK of the widget distribution interface 13, and at step 63 the widgets are wirelessly distributed to the one or more mobile electronic devices 20 over wireless network 30, and provided to mobile client 40.
  • the widget developer should the widget developer desire to update, change, or delete the widget and/or should the widget require an update, change, or deletion, the widget can be appropriately modified without modification of the mobile client 40. Otherwise, the widget continues to reside on the mobile electronic devices 20 throughout the widget's lifecycle, and the method ends.
  • FIG. 11 a system architecture diagram of an integrated distribution and transaction system for NFC services on mobile electronic devices is shown in accordance with further embodiments of the present invention.
  • the distribution and transaction system employs access control mechanisms for widget management, allowing widgets to access only certain secure applications residing in a secure element of a mobile device to enable an NFC transaction.
  • the access control system for widget management can filter communication between widgets distributed to the mobile device and secure applications installed on a secure element operatively connected to the mobile device.
  • the distribution and transaction system comprises a server 10' comprising a communication interface, a widget lifecycle management platform (see Fig. 1) having a widget generator 14, and an access control file manager 15.
  • Communication interface 11 can communicate with a plurality of mobile electronic devices (MEDs), such as MED 20, via wireless network 30.
  • MEDs mobile electronic devices
  • the widget generator is a software development kit (SDK) of the widget lifecycle management platform, and the widget is an independent application that is developed using the SDK that can be run on a virtual machine 21 of a mobile electronic device 20.
  • SDK software development kit
  • a widget may display multimedia content associated with a secure application and can be used to enable other programs or applications to perform selected tasks or functions.
  • Access control file manager 15 is a module comprising code which, when executed in the server processor (not shown), is configured to create and/or manage an access control (AC) file, which is described in further detail below. Like the widget lifecycle management platform, which employs the widget generator 14 to provide each widget with a widget certificate, access control file manager 15 likewise provides each AC file with an AC file certificate. The AC file certificate can then be authenticated by virtual machine 21 in a similar fashion as widget certificates are authenticated, once the AC file is provided to MED 20. In some embodiments widget certificates and AC file certificates can function as identification, as each certificate can contain a unique identifier. Additionally, in some embodiments, each certificate can contain human-readable data describing the certificate, public/private access key information, and/or a signature of the certificate authority. Access control file manager 15 can provide an AC file to MED 20 wirelessly over wireless network 30 using communication interface 1 1, and can update or otherwise manage the AC file as necessary.
  • AC access control
  • MED 20 can include the virtual machine 21.
  • Virtual machine 21 is an implementation of code stored in memory of MED 20 which, when executed in the MED processor (not shown), provides a widget management platform for managing widgets received by mobile electronic device 20 from the server 10, as described in detail above in the description of Fig. 1.
  • MED 20 can also include NFC transceiver 224 for performing NFC transactions and wireless modem 226 for communicating with wireless network 30.
  • MED 20 can be operatively connected to or coupled with secure element 225 in any manner as described above, and can comprise one or more secure applications.
  • secure element 225 can be divided into a plurality of secure domains, and secure applications can each be stored in a respective secure domain.
  • NFC transceiver 224 can be configured to communicate with point-of-sale terminals and/or other NFC-enabled devices as described in detail above.
  • Fig. 12 a flow chart showing a method for providing access control for widget management on a mobile electronic device in accordance with certain embodiments of the present invention is provided.
  • the method starts at step 70 when access control file manager 15 generates an AC file where widget information can be stored and referenced for later access, as can be seen in the example of Fig. 13B.
  • access control file manager 15 assigns the AC file an AC file certificate which, as explained above, can be used to authenticate the AC file on MED 20.
  • widget generator 14 can generate a widget for distribution to MED 20, and at step 73, any widget so-generated is assigned a widget certificate.
  • the widget certificate can be used as a unique identifier. It should be noted that while in this embodiment the AC is described as being generated before the widget, those of ordinary skill in the art will understand that the order in which the widget and AC file are generated can be reversed.
  • the widget certificate is associated with application identification (AID) information relating to one or more secure applications stored in secure element 225.
  • AID information can include an application identifier and one or more descriptors or flags related to a secure application.
  • access control file manager 15 references the associated widget certificate and AID information of the one or more secure applications in the AC file.
  • a reference may be, for example, human-readable data describing the widget certificate and associated secure applications, or may be machine-readable code representative of the association.
  • Each widget generated and distributed to MED 20 can be associated with one or more secure applications, and each association of every widget distributed can be referenced in one master AC file.
  • a plurality of AC files can be provided, each AC file referencing one widget, or one group of widgets, with its respective associations.
  • server 10 can provide the AC file to MED 20 over wireless network 30, where it is stored in memory of the device.
  • the AC file certificate of the AC file can be configured for authentication by virtual machine 21 as discussed above.
  • a widget can be distributed to MED 20 over wireless network 30 in any conventional manner, and its certificate can be configured for authentication at step 79. Should virtual machine 21 fail to authenticate a widget certificate or AC file certificate for any reason, in some embodiments an alert can be sent to the device operator/owner, a server manager, and/or the certificate authority.
  • widget certificates and their associated AID information are described as being referenced in the AC file prior to the AC file being provided to MED 20, in some embodiments the AC file can be provided first, and then access control file manager 15 can provide the relevant data subsequently for referencing. In some embodiments, every time a widget is distributed to MED 20 by server 10, or removed from MED 20, access control file manager 15 automatically updates the AC file residing on MED 20. Updating the AC file can include providing specific new data to memory or a data file, deleting outdated data from memory or a data file, or replacing the AC file in its entirely with a new AC file comprising correct data. As such, the AC file can always reflect the access control details of every widget installed on MED 20.
  • a copy of the AC file can be concurrently stored and managed on server 10 by access control file manager 15, so that a backup of the widget access control data can be provided if necessary, for example, should the AC file on MED 20 become corrupted or deleted.
  • virtual machine 21 can receive a request from the widget to access a secure application stored in secure element 225.
  • a request may be triggered, of example, when a widget is selected on a user interface of the mobile device, and the widget requires access to a secure application to enable a process, function or action, such as causing an NFC transaction.
  • the widget in order for a widget to access a secure application, the widget must specify which secure application it would like to access by providing the AID information of that secure application.
  • Virtual machine 21 can check the local AC file for the AID information to ensure that the widget has provided valid AID information at step 81. If the AID information provided by the widget is not valid, then at step 81 the request is rejected at which point the widget can be prompted to provide another request or the process can end.
  • virtual machine 21 can check the AC file to confirm that the widget certificate is referenced in the AC file prior to granting access to the secure application. If the widget certificate (widget identifier) is not properly referenced in the AC file, the request will likewise be rejected at step 82. In summary, virtual machine 21 can check that the widget's certificate appears in the AC file and that it is associated with the AID information of the secure application to which it is requesting access. If the widget request does not call the correct AID information, or the widget identifier is not found in the AC file, access will be denied. A notification can be provided in a similar fashion as with invalid certificates.
  • an error message can be displayed on a user interface, or a digital message can be sent, for example via e-mail, text message, or any other suitable means, to a user, or administrator etc. If the widget certificate and associated AID information are properly referenced in the AC file, access is granted at step 84, and the widget can enable the secure application to perform an NFC transaction. As such, virtual machine 21 can act as a proxy and provide an additional layer of access control security.
  • the AID information can include a driver provided by secure element manager 23 of Figure 9, and virtual machine 21 can encapsulate the driver information into a second driver which can monitor accessed secure applications. Virtual machine 21 can then keep a record of any access provided to widgets.
  • AID information further include one or more descriptors or flags related to a secure application.
  • flags can have associated values and can be strings that extend the initial structure of the AID information.
  • a flag can be, for example, a "payment” flag, an "identification” flag, or a "communication” flag, each flag indicating a specific function or feature of the respective secure application.
  • flags can be employed to further filter widget access to secure applications based on which flags have been designated and associated with the AID information and the widget.
  • a secure application may have more than one function or feature, but a widget requesting access to that secure application may only have access rights to access that secure application for one particular function and not another. Therefore, in some embodiments, a widget can only display multimedia content associated with a secure application, or enable the secure application to perform a function, if the widget calls the AID information with the correct flag.
  • flags can be used as filters to enable virtual machine 21 to quickly determine which widgets can access which secure applications. This can be accomplished by reaching the content of an AC file such as the example AC file shown in Fig. 13B, locating all instances of the flag, and propagating a list for use by the virtual machine 21. For example, in some embodiments a widget can only call "payment" flags. In this instance, the virtual machine can search for all instances where "payment" flags appear in the AC file and then determine if the widget identifier (widget certificate) is associated with that AID information.
  • Fig. 13A shows a widget labeled Widget 1 having a widget certificate labeled Widget Certificate (ID) 1.
  • ID Widget Certificate
  • Widget 1 is provided with access to Secure Application 1 and Secure Application 2.
  • Secure Application 1 comprises an application identifier AID 1, and a flag connoted by Flag A.
  • Secure Application 2 comprises AID 2, Flag A and Flag B.
  • virtual machine 21 search for Flag A both Secure Application 1 and Secure Application 2 will be accessible, however, should Flag B be searched, only Secure Application 2 will be accessible to the widget.
  • Fig. 13B shows an example AC file with an AC file certificate, comprising a reference directory of widgets and associated AID information, including application identifiers and flags for each widget. Included in the reference directory is the information relating to access control provided to Widget 1 of Fig. 13 A. It will of course be understood by those of ordinary skill in the art that the format of the depictions of Fig. 13A and Fig. 13B are exemplary in nature, and are meant to convey the organization of access control information provided to widgets and AC files respectively. It should also be understood that such information may be provided as machine readable numeric or alphanumeric code, and that the labels and flags provided should not be understood as limiting.
  • illustrative embodiments and arrangements of the present systems and methods provide a computer implemented method, computer system, and computer program product for providing integrated distribution and transaction systems and methods for NFC services related to mobile electronic devices.
  • the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments and arrangements.
  • each block in the flowchart or block diagrams can represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the figures.
  • the computing system can include clients and servers.
  • a client and server are generally remote from each other and typically interact through a communication network.
  • the relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Telephone Function (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A mobile integrated distribution and transaction system and method for NFC services are described. The system comprises a server for creating a widget having a lifecycle and a certificate, distributing the widget, and retrieving the widget information used on NFC transactions, and at least one mobile electronic device having a transaction terminal comprising a NFC modem and at least one secure element for storing a plurality of secure applications, and a virtual machine for managing the widget and changing the widget information during the valid lifecycle while the NFC modem is enabling the NFC transactions with the secure element under a specific secure application.

Description

A MOBLIE INTEGRATED DISTRIBUTION AND TRANSACTION SYSTEM AND METHOD FOR NFC SERVICES, AND A MOBILE ELECTRONIC
DEVICE THEREOF FIELD OF THE INVENTION
The present invention relates to an integrated distribution and transaction system and method, and more particularly, to a mobile integrated distribution and transaction system and method for NFC (Near-Field Communication) services, and a mobile electronic device thereof.
DESCRIPTION OF THE PRIOR ART
Near Field Communication (NFC) is a new, short-range wireless connectivity technology that evolved from a combination of existing contactless identification and interconnection technologies. Products with built-in NFC will dramatically simplify the way consumer devices interact with one another, helping people speed connections, receive and share information and even make fast and secure payments.
Operating at 13.56 MHz and transferring data at up to 424 Kbits/second, NFC provides intuitive, simple, and safe communication between electronic devices. NFC is both a "read" and "write" technology. Communication between two NFC-compatible devices occurs when they are brought within four centimeters of one another; a simple wave or touch can establish an NFC connection, which is then compatible with other known wireless technologies such as Bluetooth or Wi-Fi. The underlying layers of NFC technology follow universally implemented ISO, ECMA, and ETSI standards. Because the transmission range is so short, NFC-enabled transactions are inherently secure. Also, physical proximity of the device to the reader gives users the reassurance of being in control of the process.
NFC can be used with a variety of devices, from mobile phones that enable payment or transfer information, to digital cameras that send their photos to a TV set with just a touch. The possibilities are endless, and NFC is sure to take the complexities out of today's increasingly sophisticated consumer devices and make them simpler to use. SUMMARY OF THE INVENTION
One object of the present invention is to provide a mobile integrated distribution and transaction system and method particularly for use on information processing of NFC services.
Another object of the present invention is to provide a mobile distribution system and method to distribute the widgets used for NFC transactions.
Yet another object of the present invention is to provide a mobile transaction system and method to use the widgets in NFC transactions.
Still another object of the present invention is to provide a mobile electronic device to use the widgets in NFC transactions.
The aforementioned objects can be achieved singularly or in combination when providing the invention defined by the claims appended hereto as summarized below.
In order to achieve the aforementioned objects, the present invention provides a mobile integrated distribution and transaction system comprising: a server having a widget generator for creating a widget having a certificate; a communication interface for distributing the widget and retrieving the widget information associated with NFC transactions; and at least one mobile electronic device having a transaction terminal comprising an NFC modem and at least one secure element divided into a plurality of secure domains, and a virtual machine for managing the widget and changing the widget information while the NFC modem is enabling the NFC transactions with the secure element.
In order to achieve the aforementioned objects, the present invention provides a mobile distribution system comprising: a widget generator for creating a widget having a certificate; and a communication interface for distributing the widget to a mobile electronic device with a transaction terminal having at least one secure element for storing a plurality of secure applications, and retrieving the widget information from the mobile electronic device using the transaction terminal for NFC transactions.
In order to achieve the aforementioned objects, the present invention provides a mobile distribution method, comprising the following steps: generating a widget having a certificate; distributing the widget to a mobile electronic device with a transaction terminal having at least one secure element for storing at least one secure application; and retrieving the widget information from the mobile electronic device on NFC transactions enabled by one of the secure element in use of the transaction terminal.
In order to achieve the aforementioned objects, the present invention provides a mobile transaction system to use a widget on wireless transactions, comprising: means for receiving widgets, each widget having a certificate displays multimedia content associated with a secure application; a graphical user interface for displaying the widgets; means for selecting one of the widgets on the graphical user interface; and means for transmitting the widget information while enabling the wireless transactions with a secure element.
In order to achieve the aforementioned objects, the present invention provides a mobile transaction method to use a widget on NFC transactions, comprising: receiving widgets, where each widget has a certificate; displaying the widgets on a graphical user interface; selecting one of the widgets on the graphical user interface; and changing the widget information while an NFC modem is enabling the NFC transactions with a secure element.
The aforementioned method can be implemented by a software installed on a mobile electronic device comprising the NFC modem and the graphical user interface,
The aforementioned method can be executed by computer-executable instructions stored in a computer-readable media.
In order to achieve the aforementioned objects, the present invention provides a mobile electronic device for NFC services, comprising: a transaction terminal having an NFC modem for transmitting radio frequency (RF) signals associated with a contactless data of NFC transactions, and at least one secure element for storing at least one secure application; and a virtual machine for authenticating and managing a plurality of widgets, each widget having a certificate, and changing the widget information while the NFC modem is enabling the NFC transactions with the secure element.
The aforementioned mobile electronic device can be a PDA or an iPod or a cell phone or a hand-held device or a multimedia player. In order to achieve the aforementioned objects, the present invention provides a mobile electronic device for NFC services, composed of: a wireless modem for receiving a widget with a certificate from a wireless network; at least one secure element for storing at least one secure application; an NFC modem for transmitting radio frequency (RF) signals associated with a contactless data of NFC transactions; a graphical user interface for displaying the widget; a memory for storing the widget; and a processor performing a virtual machine for managing the widget(s) and changing the widget(s') information while the NFC modem is enabling the NFC transactions with the secure element.
In the mobile integrated distribution and transaction system and method, the mobile distribution system and method, the mobile transaction system and method, and the mobile electronic device thereof according to the present invention, associated information of various transaction applications can be displayed on a mobile electronic device through widgets having a certificate, NFC transactions can be enabled by a secure element for storing a secure application, and information associated with a secure application can be received or processed by the widgets.
According to another broad aspect of the invention, a mobile distribution system, installed on a mobile electronic device, includes a processor, memory, and code in the memory for implementing a particular mobile operating system in the processor, and being operatively coupled to a secure element having one or more secure applications. The system further includes a virtual machine configured to execute in the processor to provide a runtime environment capable of running a plurality of widgets and configured to enable the widgets to be operable on any of a plurality of mobile operating systems including the particular mobile operating system. The system further includes a secure element manager configured to enable the widgets to read from or write to the secure element by providing the widgets with access to a corresponding secure applications stored in the secure element, and enabling the mobile electronic device to perform NFC transactions using the corresponding secure applications.
In yet further embodiments, the secure element manager can be configured to create an instance of a configured driver enabling access to the secure element in response to a request by a widget to access the secure element, with the secure element manager being configured to provide access to a plurality of secure elements. In a more particular aspect, the system can further include a content handler configured to provide one or more of the following: communication between a third-party application installed on the mobile electronic device and the widgets; and communication between the third-party application installed on the mobile electronic device and the corresponding secure applications stored in the secure element. The system can further comprise a content handler plug-in, the content handler plug-in being implemented in the third-party application and enabling the third-party application to operatively communicate with the content handler. The content-handler plug-in can further comprise a unified reference locator (URL) of the content handler for connection to the content handler, and widget identifiers associated with specific widgets, wherein the widget identifier can be presented to the content handler via the URL to enable access by the third-party application to the widget.
In still a further aspect of the invention, the virtual machine can be configured to perform one or more of the following: initiate a download of a widget from a widget distribution interface over a wireless network when the a widget identifier associated with the widget is presented to the content handler by the third-party application, but the at least one widget is not presently installed on the mobile electronic device; and initiate a download of the third-party application from a third-party application distribution interface over the wireless network when the widget attempts to communicate with the third-party application, but the third-party application is not presently installed on the mobile electronic device.
In still yet further embodiments, the system includes: an extensions manager configured using code executed in the processor to provide communication between the virtual machine and/or the secure element manager, and a plurality of extensions associated with the plurality of mobile operating systems. Each of the widgets in this embodiment can be configured to be operable in the runtime environment using code executing in the processor, without necessitating configuration directly with the plurality of mobile operating systems, and each of the widgets can be added, removed, or updated without necessitating alteration of the runtime environment.
According to yet another broad aspect of the invention, a method of providing a mobile distribution system, for use on a mobile electronic device having a particular mobile operating system, a processor, memory, and code in the memory for implementing a particular mobile operating system in the processor, and being operative ly coupled to a secure element having one or more secure applications is provided. A server uses code to generate a mobile client for distribution over a wireless network to the mobile electronic device, the mobile client including at least the following: a virtual machine configured to execute in the processor to provide a runtime environment capable of running a plurality of widgets and configured to enable the widgets to be operable on any of a plurality of mobile operating systems including the particular mobile operating system. A secure element manager is configured to enable at least one widget of the plurality of widgets to read from or write to the secure element by providing the at least one widget with access to a corresponding one of the one or more secure applications stored in the secure element, and by enabling the mobile electronic device to perform at least one NFC transaction using the corresponding secure applications.
In accordance with one or more of the foregoing methods, the secure element manager can be configured to create an instance of a configured driver enabling accessing to the secure element in response to a request by the widget to access the secure element. As well, the secure element manager can be configured to provide access to a plurality of secure elements. The mobile client can then be distributed to
According to another broad aspect of the invention, a method for providing access control for widget management on a mobile electronic device is provided. The method can include a mobile electronic device having a processor, a memory, code in the memory for implementing in the processor a virtual machine, and an NFC transceiver. The mobile electronic device can be operatively coupled to a secure element and be in wireless communication with a server over at least one wireless network, the server having a server processor and a server memory. The method can include generating, by the server, a widget having a widget certificate and associating, by the server, the widget certificate with application identification (AID) information corresponding to at least one secure application stored in the secure element.
The method further includes referencing, by the server, the widget certificate and the associated AID information in an access control (AC) file having an AC file certificate, providing, by the server, the AC file to the mobile electronic device over the wireless network, and configuring the widget certificate and the AC file for authentication. The method further includes determining whether to provide the widget with access to the at least one secure application to enable the at least one secure application to perform at least one NFC transaction. In some embodiments, in response to the authentication of the widget certificate and the AC file certificate, the virtual machine is configured to provide the widget with access to the at least one secure application when either (a) the widget specifies the associated AID information of the at least one secure application referenced in the AC file; or (b) the widget certificate referenced in the AC file matches the authenticated widget certificate.
In a more particular aspect, the method can further include updating the AC file when a widget is added to, modified on, or removed from the mobile electronic device. The method can further include configuring the widget certificate for authentication comprises verifying the widget certificate by the virtual machine upon distribution of the widget to the mobile electronic device; and configuring the AC file for authentication comprises verifying the AC file certificate by the virtual machine upon providing the AC file to the mobile electronic device.
In yet further aspects of the method the AID information can comprise an application identifier and at least one access control flag, and further comprise configuring the virtual machine to filter widget access to the at least one secure application based on the at least one access control flag. In some embodiments, the method can include displaying via the widget multimedia content associated with the at least one secure application to which access has been provided based on the at least one access control flag, the at least one access control flag can be a payment flag, an identification flag, and/or a communication flag. The method can include dividing the secure element into a plurality of secure domains, and storing the at least one secure application in a respective secure domain. The method can further include configuring the widget to respond to the at least one NFC transaction occurring by retrieving information on the at least one NFC transaction associated with the secure application. In yet further aspects, the at least one secure application can include at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, or a ticketing application. Finally, the at least one secure element can include at least one of a secure SIM card, a secure memory card, and secure internal memory.
According to another broad aspect of the invention a system in accordance with the method of providing widget access control management on a mobile electronic device is also provided.
These and other aspects, features and advantages will be understood with reference to the following description of certain embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC service in accordance with the present invention.
Fig. 2 shows a block diagram of a transaction terminal in accordance with the present invention.
Fig. 3 A shows a schematic block diagram illustrating the software and the hardware of the mobile electronic device.
Fig. 3B shows a schematic block diagram illustrating the mobile electronic device of the Fig. 3 A communicating with the bank server for receiving widgets and enabling a transaction communication,
Fig, 4 shows a schematic diagram illustrating a plurality of applied widgets displayed on the graphical user interface of the mobile electronic device in accordance with the present invention.
Fig. 5 shows a schematic block diagram illustrating the various states of a widget in accordance with the present invention.
Fig. 6 is a flow chart showing a mobile distribution method in accordance with the present invention.
Fig. 7 is a flow chart showing a mobile transaction method in accordance with the present invention.
Fig. 8 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC services in accordance with embodiments of the present invention.
Fig. 9 shows a schematic block diagram illustrating elements of the software and the hardware of the mobile electronic device in accordance with embodiments of the present invention.
Fig. 10 is a flow chart showing a mobile distribution method in accordance with embodiments of the present invention.
Fig. 1 1 shows a system architecture diagram of an integrated distribution and transaction system for NFC services on mobile electronic devices in accordance with embodiments of the present invention.
Fig. 12 is a flow chart showing a method for providing access control for widget management on a mobile electronic device in accordance with embodiments of the present invention.
Fig. 13 A and Fig. 13B, show exemplary representations of a widget and an Access Control file in accordance with embodiments of the present invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Fig. 1 shows a system architecture diagram of a mobile integrated distribution and transaction system for NFC service in accordance with the present invention. The mobile integrated distribution and transaction system for NFC service of the present invention comprises a server 10 comprising a communication interface 11 communicated with a wireless network 30 and executes a widget lifecycle management platform 12. The widget lifecycle management platform 12 comprises a widget generator for creating a widget. The widget may display multimedia content associated with a secure application. In an embodiment of the present invention, the widget generator is a software development kit (SDK) of the widget lifecycle management platform 12, and the widget is an independent application that is developed using SDK and that can only be run on a virtual machine 21 of a mobile electronic device 20.
In an embodiment of the present invention, the widget is assigned a certificate which allows the widget to enable a NFC transaction with a secure element for storing a plurality of secure applications. In an embodiment, the widget is assigned a lifecycle, and the widget lifecycle management platform 12 retrieves the widget information used on the NFC transaction through the communication interface 11 during the valid lifecycle. In an embodiment of the present invention, the widget is assigned an identification number representing an account for conducting the NFC transactions under a secure application. In each embodiment of the present invention, the secure application is, but not limited to, a transport application or a credit/debit application or a coupon application or a secure access application or a loyalty card application or an electronic purse application or a ticketing application,
The widget lifecycle management platform 12 of the mobile integrated and transaction system of the present invention uses the communication interface 11 to distribute a plurality of widgets to at least one mobile electronic device 20 through the wireless network 30. In an embodiment of the present invention, the widget lifecycle management platform 12 also uses the communication interface 1 1 to retrieve the widget information used on the NFC transaction from the mobile electronic device 20 so as to analyze the information associated with NFC transactions received by the widget.
Still referring to FIG. 1, the mobile integrated distribution and transaction system of the present invention comprises at least one mobile electronic device 20 comprising a virtual machine 21 and a transaction terminal 22. The virtual machine 21 is an implementation of software and provides a widget management platform for managing the widget received by the mobile electronic device 20 from the server 10. In an embodiment of the present invention, the transaction terminal 22 allows the mobile electronic device 20 to enable a peer-to-peer transaction with other NFC devices 31, so that the mobile electronic device 20 changes the widget information or that the widget receives the information associated with transactions. In another embodiment of the present invention, the transaction terminal 22 allows the mobile electronic device 20 to enable a card emulation mode transaction with a point-of-sales (POS) terminal 32, so that the mobile electronic device 20 changes the widget information or that the widget receives the information associated with transactions. In yet another embodiment of the present invention, the transaction terminal 22 allows the mobile electronic device 20 to enable a reader mode transaction with a radio-frequency identification (RFID) tag 33, so that the mobile electronic device 20 changes the widget information or that the widget receives the information associated with transactions. In other words, an NFC transaction enabled by the mobile electronic device 20 includes, but is not limited to, a peer-to-peer transaction, a card emulation mode transaction, and a reader mode transaction.
In an embodiment of the present invention, a mobile electronic device 20 for NFC services comprises a transaction terminal 22 as shown in Fig. 2 and a virtual machine 21. The transaction terminal 22 comprises: an NFC modem for transmitting radio frequency (RF) signals associated with contactless data of NFC transactions or for transmitting data associated with NFC transactions; and at least one secure element divided into at least one secure domain where a specific secure application is located or stored. In an embodiment of the present invention, the secure element is implemented by a SIM card for a cell phone or a secure memory card, such as a micro-SD card. The virtual machine 21 is installed on the mobile electronic device 20 for authenticating and managing a plurality of widgets, and each widget has a certificate. After the certificate is authenticated by the virtual machine 21, the virtual machine 21 allows the widget to access the secure element 225. The widget changes the widget information or retrieves information under a corresponding secure application stored in one of secure domains while the NFC modem is enabling the NFC transactions with the secure element 225.
Fig. 2 shows a block diagram of a transaction terminal in accordance with the present invention. The transaction terminal 22 is implemented on a mobile electronic device 20. In an embodiment of the present invention, the mobile electronic device 20 is a PDA or an iPod or a cell phone or a hand-held device or a multimedia player. In another embodiment of the present invention, the mobile electronic device 20 comprises the transaction terminal 22 only, exclusively used for conducting NFC transactions under the control of a secure application located or stored in a secure domain.
In an embodiment of the present invention, a mobile electronic device 20 comprises a transaction terminal 22. The transaction terminal 22 is used for NFC transactions, composed of a wireless modem 226, at least one secure element 225, an NFC modem 224, a memory 223, a graphical user interface 222, and a processor 221. The wireless modem 226 can use a wireless protocol such as 3G, GPRS, Bluetooth, or WiFi or any other wireless communication protocol such that the mobile electronic device 20 communicates with a wireless network 30, and the widget is distributed to the mobile electronic device 20 through the wireless modem 226 of the transaction terminal 22. The secure element 225 is a hardware embedded into the mobile electronic device 20 and is divided in a plurality of secure domains where secure applications are located or stored. In an embodiment of the present invention, the mobile electronic device 20 is a cell phone, and the secure element 225 is the SIM card for a cell phone or a secure memory card which can be plugged into the memory card slot of the mobile electronic device 20. For example, such secure memory card is a micro-SD card. In another embodiment of the present invention, the mobile electronic device 20 may comprises a plurality of secure elements 225. For example, both a SIM card and a memory card are embedded into a NFC mobile phone. The SIM card and the memory card are divided into a plurality of secure domains for storing a plurality of secure applications, respectively.
In some embodiments, secure element 225 can be operatively connected to the mobile electronic device 20 as described above. In some embodiments, secure element 225 can be operatively connected to the mobile electronic device 20 without being embedded or plugged into the mobile electronic device 20. For example, the secure element 225 may be wirelessly connected to the mobile electronic device 20 via any appropriate wireless communication means (e.g., Bluetooth, WiFi, RF, etc.) Once the secure element 225 is operatively connected to the mobile electronic device 20 using any of the above means, NFC transactions can be conducted under the control of a secure application located or stored in a secure domain of the secure element 225.
The NFC modem 224 comprises a built-in NFC antenna (not shown) for NFC transactions and is electronically connected to the secure element 225. The processor 221 of the transaction terminal 22 executes software program instructions of a widget management platform, and is electrically connected to the wireless modem 226 to receive the widgets distributed by the server 10 or to transmit information associated with NFC transactions received by the widget back to the server 10. The widget is assigned an identification number representing an account for conducting NFC transactions under the control of a secure application stored in the secure element, and the information transmitted back to the server 10 from the widget includes the identification number.
In addition, the processor 221 electronically connects to the secure element 225 and the NFC modem 224 to access the secure element 225 for enabling the NFC transactions. The processor 221 also electronically connects to the memory 223 for storing the received widget and connects to the graphical user interface 222 for displaying multimedia content associated with a secure application represented by the widget.
In an embodiment of the present invention, the widget assigned a certificate is corresponding to a specific secure application stored in a secure domain. The certificate will be authenticated by the widget management platform provided by the virtual machine 21. If the certificate passes the authentication, the virtual machine 21 will allow the widget to access the secure element 225 to enable the NFC modem 224 to conduct the NFC transactions under a secure application, so that the widget information is changed or that the transaction information associated with a secure application is received by the widget. A secure application is located or stored in a secure domain. For example, a loyalty card application is located in a secure domain which enables a loyalty card transaction with the secure element 225. For another example, an electronic purse application is located in a secure domain which enables an electronic purse transaction with the secure element 225. For another example, a coupon application is located in a secure domain which enables a coupon transaction with the secure element 225.
In an embodiment of the present invention, the widget is assigned a certificate and a lifecycle. During the valid lifecycle, if the certificate passes the authentication of the virtual machine 21, it will allow the widget to access the secure element 225 to enable the NFC modem 224 to conduct the NFC transactions. The widget also transmits information associated with the NFC transaction back to the server 10 through the wireless modem 226 during the valid lifecycle. In an exemplary embodiment, the widget displays multimedia content associated with a coupon application and is assigned a lifecycle associated with the coupon. The widget is distributed to the mobile electronic device 20, which uses the coupon information of the widget through NFC transactions under the coupon application during the valid lifecycle of the coupon.
Fig. 3A shows a schematic block diagram illustrating the software and the hardware of the mobile electronic device. In the mobile electronic device of the present invention, the virtual machine 21 manages the widget received by the mobile electronic device 20 from the server 10, and authenticates the certificate of the widget to allow the widget to communicate with the transaction terminal 22. Each widget displays multimedia content associated with a secure application; for example, it may be a widget associated with AirFrance, VISA, or EasyCard applications. In the embodiments of the present invention, the virtual machine 21 may be installed on various mobile electronic devices 20 (such as a PDA, an iPod, a mobile phone, a handheld device, or a multimedia player) and provides a widget management platform such that the authenticated widget accesses the secure element 225 of the transaction terminal 22 to enable NFC transactions.
Fig. 4 shows a schematic diagram illustrating a plurality of applied widgets displayed on the graphical user interface of the mobile electronic device in accordance with the present invention, in an embodiment of the present invention, the widgets managed by the virtual machine 21 may be displayed by the graphical user interface 222 of the transaction terminal 22, and it is preferable that the graphical user interface 222 is implemented by a touch panel. The user may move the finger on the touch panel in the arrow direction shown in Fig. 4 to select one of the widgets, such as the widget associated with a VISA application stored in a secure element, and then move the selected widget to the up front position. When the user uses the finger to click on the up front widget on the touch panel, it means that the user decides to use that selected widget to enable NFC transactions.
Once the user selects a widget, the virtual machine 21 will allow the widget to access the secure element 225 of the transaction terminal 22 to activate the NFC modem 224. The selected widget then waits for an event triggered by the NFC modem 224 so that the widget information changes or that the widget receives transaction information associated with the VISA secure application, wherein the event is an interaction associated with the NFC transaction, as shown in Fig. 4,
Fig. 3B shows a schematic block diagram illustrating the mobile electronic device of the Fig. 3A communicating with the bank server for receiving widgets and enabling a transaction communication. In an embodiment of the present invention, a secure element 225 of the mobile electronic device 20 is provided by a bank, such as a secure micro-SD card which can be plugged into the micro-SD card slot of the mobile electronic device 20. The memory space of micro-SD card may be divided in a plurality of secure domains such as SD1, SD2 as shown in Fig. 3B. One secure application is located or stored in one secure domain; for example, a VISA secure application is located in a secure domain which enables VISA secure transactions using the secure element 225. The secure application is, but not limited to, a transport application or a credit/debit application or a coupon application or a secure access application or a loyalty card application or an electronic purse application or a ticketing application. A bank server 10' issues a secure application downloaded and stored into one secure domain of the secure element 225, and issues widgets promoted by the bank. Each widget is assigned a certificate and the certificate allows the widget to be authenticated by the virtual machine 21 to access the secure element 225 such that the widget received by the mobile electronic device 20 from the bank server 10' can enable NFC transactions under a corresponding secure application located in the secure domain of the secure element 225.
Fig. 5 shows a schematic block diagram illustrating the various states of a widget in accordance with the present invention. The widget used in the mobile integrated distribution and transaction system of the present invention has a plurality of states. The initial state of the widget is "not activated" when the widget is created on the server. The state of the widget will change to "deleted" if the widget is assigned a lifecycle but the state of the widget remains as "not activated" after the valid lifecycle is past. The mobile electronic device 20 requests the server 10 for downloading a widget. The state of the widget is "distributed" when the widget is being distributed to the virtual machine 21 of the mobile electronic device 20 before the widget is activated successfully. The state of the widget will change from "distributed" to "activated" when the widget is authenticated by the virtual machine 21 and then successfully accesses the corresponding secure application stored in the secure elements 225.
The virtual machine 21 allows the widget to access the secure element 225 of the transaction terminal 22 to activate the NFC modem 224 when the user selects a widget on the graphical user interface 222. The widget then reacts to an event triggered by the NFC modem 224 such that the state of the widget changes from "activated" to "in use" under a specific secure application corresponding to the widget, and the event is an interaction associated with NFC transactions. The state of the widget will return from "in use" to "activated" after the widget completes processing the information on NFC transactions.
In an embodiment of the present invention, the widget, such as a widget associated with a coupon application, will change its state from "in use" to "deleted" after the widget completes processing the information on NFC transactions. In another embodiment of the present invention, when an error occurs while the widget is processing the information on NFC transactions, such as a date conflict error or a secure application conflict error on NFC transactions, then the state of the widget will change from "in use" to "error" and the graphical user interface 222 will display the error information. The state of the widget will return from "error" to "activated" after the error is resolved.
In an embodiment of the present invention, the widget can transfer messages between two virtual machines of separate mobile electronic devices. The virtual machine 21 will allow the widget to access the secure element 225 of the transaction terminal 22 to activate the NFC modem 224 when the user chooses to share a widget on the graphical user interface 222. The widget then reacts to an event triggered by the NFC modem 224 such that the state of the widget changes from "activated" to "on share" under a specific secure application corresponding to the widget, and the event is an interaction associated with NFC transactions. The state of the widget will return from "on share" to "activated" after the widget completes processing the information on NFC transactions.
In an embodiment of the present invention, the virtual machine 21 will allow the widget to access the secure element 225 of the transaction terminal 22 to activate the NFC modem 224 when the user chooses to update a widget on the graphical user interface 222. The widget then reacts to an event triggered by the NFC modem 224 such that the state of the widget changes from "activated" to "updated" under a specific secure application corresponding to the widget, and the event is an interaction associated with NFC transactions. The state of the widget will return from "on share" to "updated" after the widget updates the information on NFC transactions.
Fig. 6 is a flow chart showing a mobile distribution method in accordance with the present invention. In an embodiment of the invention, the mobile distribution system implements a mobile distribution method, the method comprising the following steps: creating a widget displaying multimedia content associated with a secure application such as a transport application or a credit/debit application or a coupon application or a secure access application or a loyalty card application or an electronic purse application or a ticketing application. The widget only executes on a virtual machine 20 of the mobile electronic device 20 or installed on the mobile electronic device 20.
In the mobile distribution method, the step of creating a widget further comprises: initializing a state of the widget as "not activated" when the widget is created; assigning a certificate to the widget, wherein the widget is associated with a specific secure application such as a transport application or a credit/debit application, and the certificate allows the widget authenticated by the virtual machine 21 to access the secure element 225 embedded or plugged into the transaction terminal 22 to enable NFC transactions to retrieve information under a specific secure application; assigning a lifecycle to the widget, wherein the widget downloaded to the mobile electronic device 20 may process or retrieve information on NFC transactions during the valid lifecycle and transmit information back to the server 10; and assigning an identification number representing an account for conducting NFC transactions under the control of a secure application corresponding to the widget. In addition, the method comprises the following step: recording the certificate, lifecycle and the identification number assigned to the widget to gather statistics for the mobile distribution system or to analyze the widget.
In an embodiment of the present invention, the mobile distribution system further comprises the following steps: distributing the widget to the mobile electronic device 20 and changing the state of the widget from "not activated" to "distributed", wherein the mobile electronic device 20 has a transaction terminal 22 comprising at least one secure element 225 for storing a secure application and a virtual machine 21 ; and retrieving the widget information from the mobile electronic device 20 while the state of the widget is "activated", wherein the widget information is gathered or updated by the widget while the mobile electronic device 20 enables NFC transactions. In another embodiment of the present invention, the mobile distribution method further comprises the following step: analyzing the information gathered or updated by the widget for transaction accounting according to the recorded lifecycle and identification number.
Fig. 7 is a flow chart showing a mobile transaction method in accordance with the present invention. In an embodiment of the present invention, the mobile transaction method is implemented by the mobile transaction system of the present invention or by the mobile electronic device 20 as shown in Fig. 1, wherein the mobile electronic device comprises the transaction terminal 22 as shown in Fig. 2. The mobile transaction method is implemented by a software installed on the mobile electronic device 20 comprising the NFC modem and the graphical user interface 222. The mobile transaction method comprises the following steps: receiving the widgets distributed by the server 10, each widget having a certificate, and/or a lifecycle and a identification number, wherein the certificate allows the widget authenticated by the virtual machine 21 to access the secure element 225 embedded or plugged into the transaction terminal 22 to enable NFC transactions, wherein the identification number represents an account for conducting NFC transactions under a secure application, and wherein the widget information is changed while the NFC modem is enabling the NFC transactions during the valid life cycle; and authenticating the certificate of the widget to determine whether the widget can access the secure element 225 of the transaction terminal 22, wherein the widget is activated if the widget successfully accesses the secure element 225 to retrieve information from a specific secure application stored in the secure element, and the state of the widget changes from "distributed" to "activated".
The mobile transaction method further comprises: displaying the widgets on the graphical user interface 222, wherein the widgets displays multimedia content associated with a secure application; managing the widgets; selecting one of the widgets on the graphical user interface 222 to use, share or update such that the selected widget reacts to an event, which is an interaction associated with NFC transactions, triggered by the NFC modem 224 and changing the state of the widget to "in use", "on share" or "updated"; Using the selected widget to communicate with the secure element; changing or transmitting the widget information while the NFC modem 224 is enabling NFC transactions with the secure element 225; and changing the state of the widget back to "activated" after the widget is used, shared or updates the received information on NFC transactions.
In an embodiment of the present invention, the method further comprises: the widget retrieving information associated with the NFC transaction from the NFC modem, or a secure application corresponding to the widget; and transferring the widget or widget information on to the mobile electronic device 20 having an NFC modem through the NFC transaction, or through a combination of the NFC transaction and a communication means.
Turning now to Fig. 8, a system architecture diagram of a mobile integrated distribution and transaction system for NFC services is shown in accordance with a further embodiment of the present invention. The distribution and transaction system employs a front-end mobile platform for porting and distribution of NFC applications, and has a widget-based architecture, which enables fast application development of NFC services (e.g., proximity payment, transport, ticketing, loyalty cards, coupons, etc.). In some embodiments, the distribution and transaction system comprises a mobile client 40, which is generated or otherwise preconfigured, and distributed to a plurality of mobile electronic devices 20. The mobile client 40 is a runtime system that is configured to enable widgets that are delivered to the mobile electronic device 20 to be loaded and executed. The system further includes a widget distribution interface 13 operating on server 10, which can comprise the communication interface 1 1 and widget lifecycle management platform 12, both of which are described in detail above in the description of Fig. 1.
In some embodiments, widgets are developed using the widget generator (SDK) associated with the widget lifecycle management platform 12 as described above, and are distributed by the communication interface 11 over wireless network 30 to one or more mobile electronic devices 20, where they are executed on mobile client 40. Mobile client 40 is configured to be compatible with a plurality of mobile operating systems (OSs) employed on a plurality of mobile electronic devices from a plurality of manufacturers and/or service providers. Different OSs may have different interfaces and different OS -specific functions and/or requirements. Likewise, different mobile electronic devices have different hardware components, each having their own requirements. For example, accessing the NFC transceiver or the secure element (SE) requires different extensions, protocols and/or drivers depending on the particular OS and hardware of the mobile electronic device 20. As such, mobile client 40 is configured with a plurality of compatible extensions, protocols and/or drivers already integrated. This allows service providers, for example, the flexibility to design a single OS -independent and mobile electronic device- independent widget using the SDK for deployment on a plurality of different OSs and devices without requiring the creation of many varying iterations of the same widget to meet the requirements of each.
Turning to Fig. 9, in accordance with embodiments of the invention, mobile client 40 comprises virtual machine 21 (described in detail above), secure element (SE) manager 23, extensions manager 24, and content handler 25. It should be noted that in other embodiments, one or more of the above can be omitted. For example, mobile client 40 can be configured without extensions manager 24 and content handler 25, as those programs may not be required or can be provided separate from the mobile client 40. In some embodiments, virtual machine 21 is configured to provide a stack-based runtime environment for the widgets, requiring no registers. For each operation, the operands are pushed on top of the stack in the correct order, allowing the accumulation of operands to allow the sequential execution of operations during the life of the thread of code that manages the execution context. It will of course be understood by those of ordinary skill in the art that other implementations of virtual machine 21 can be used, such as a register-based environment,
The runtime environment, which is executed in the processor, implements the core behavior of the programming code when invoked by a widget. The virtual machine 21 can then implement an action on the mobile electronic device 20, such as, for example, causing a connection to a secure application in the SE. Additionally or alternatively, the virtual machine 21 can translate the invocation into an invocation of the particular OS of the mobile electronic device 20, such as for causing the OS of the mobile electronic device 20 to connect directly to the wireless network, etc.
The SE manager 23 is configured to enable a widget to read from and/or write to the SE, provided the widget certificate has been authenticated by the virtual machine 21. The SE manager 23 enables the authenticated widget to access a secure application stored in the SE, which in some embodiments enables an NFC transaction to be performed by the mobile electronic device 20. This can be accomplished by the SE manager 23 first abstracting all the heterogeneous interfaces for accessing the SE into a platform-independent interface used by the widget. While the SE manager 23 is capable of providing communication between a plurality of widgets and a plurality of SEs, it is typically configured to provide access to a single SE using a single channel at any given time. Therefore, concurrent connections are blocked until the thread owning the connection releases it. To connect a widget with a secure application in a SE, the SE manager 23 can create an instance of a configured driver by specifying the driver's class name from the previously abstracted information, enabling access to the SE using the driver. Furthermore, due to the platform-independent interface, SE manager 23 is configured to provide access to a plurality of SEs installed (or installable) on a variety of mobile electronic devices 20.
In accordance with embodiments of the invention, mobile client 40 can also include extensions manager 24. Extensions manager 24 is responsible for managing all the extensions present in mobile client 40, and for providing an interface between extensions and the mobile client 40. Extensions incorporated into mobile client 40, and managed by extensions manager 24 can include extensions common to a plurality of OS platforms (i.e. RIM, J2ME, Nokia, Android, etc.), and Application Protocol Data Unit (APDU) extensions. Extensions manager 24 can also manage OS-specific extensions. Extensions manager 24 provides communication between virtual machine 21 and SE manager 23, and the extensions. In some embodiments, extensions manager 24 can be updated as necessary via wireless network 30 to ensure compatibility, and/or specific extensions may be provided to the extensions manager 24 directly when a data connection is requested that is not initially supported by the extensions present in mobile client 40. In some embodiments, extensions manager 24 can access a library of extensions present on the OS of the mobile electronic device 20 in lieu of an extension in mobile client 40.
Mobile client 40 can also include content handler 25. Content handler 25 is configured to provide communication between native third-party applications (such as third-party application 50) installed on the mobile electronic device 20 and the widgets. Content handler 25 is also configured to provide communication between third-party applications and secure applications stored in the SE. In particular, content handler 25 is responsible for managing incoming connections from third-party applications attempting to connect to a widget or secure application, and outgoing connections to third-party applications. Furthermore, content handler 25 maintains a list of actions available for third-party applications that are allowed to connect to widgets and/or secure applications.
In some embodiments, managing connections and interactions between third-party application 50 and widgets/secure applications is accomplished by employing a content handler plug-in 51. Content handler plug-in 51 is a specific library that must be implemented in third-party application 50 in order to be able to communicate and interact with the mobile client 40 through the content handler 25. The content handler plug-in 51 can comprise several parameters including: a unified reference locator (URL) of the content handler 25 for connection with the content handler 25; a widget identifier associated with each widget with which the third-party application 50 would like to communicate; and/or the list of actions available to the third-party application 50 for interacting with the mobile client 40. In some embodiments, by employing the content handler plug-in 51, third party application 50 is configured with the identity of the widget and/or secure application (stored in the SE) with which it can interact. Only by calling the specific widget and/or secure application, will content handler 25 enable communication with widgets via virtual machine 21 , and with secure applications via secure element manager 23.
In accordance with aspects that can be included in embodiments constructed in accordance with the invention, if a widget is called by third-party application 50, but the widget is not present in the memory of mobile electronic device 20, content handler 25 can initiate a download of the widget from the widget distribution interface 13 over wireless network 30 via wireless modem 226. Conversely, if third-party application 50 is called by a widget, but the third-party application 50 is not present in the memory of mobile electronic device 20, content handler 25 can initiate a download of the third-party application 50 from the source server of the third-party application developer over wireless network 30 via wireless modem 226. In either instance, notifications can be provided via the mobile electronic device to the user that additional resources are needed to implement an action that has commenced at the mobile electronic device 20. Optionally, such notifications can include a prompt to the user to accept having such resources downloaded to the mobile electronic device.
Employing content handler 25 and content handler plug-in 51, functionality of mobile client 40 is broadened in a manner that, among other things, simplifies the conduct of a variety of NFC transactions, For example, a widget can be accessed directly from third-party application 50 without a mobile device user having to close the third-party application 50 and open the mobile client 40 in order to complete an NFC transaction via NFC transceiver 224. Third-party application 50 may, for example, require information that can be provided directly from one or more widgets (e.g. club membership information from a club card widget, location data from a GPS enabled widget, and/or payment information from a payment widget) in order to complete an NFC transaction, but does not require the full functionality of the associated secure applications. As such, an NFC transaction can be initiated and concluded from within the third-party application 50 while maintaining the security and integrity of the secure element, by providing third-party application 50 with access to the secure application via content handler 25 and content handler plug-in 51. This is in lieu of suspending the third-party application 50 in order to open a mobile wallet, for instance. Similarly, third-party application 50 can be accessed directly by the widget without the user having to leave or close the mobile client 40.
Furthermore, depending on the rights of the third-party application 50, which can be managed by settings established in the mobile client 40, similar reciprocal user access/functionality can be employed between third-party application 50 and a secure application located in the SE as between the widgets and the third-party application 50. This can occur, for example, when a mobile device user employs third-party application 50 (e.g., of a retail store) to browse for a product or service, but desires to pay for the product or service via NFC transaction, using a secure application provided by a trusted payment provider (e.g., VISA). As such, an NFC transaction can be initiated and concluded from within the third-party application 50 while maintaining the security and integrity of the secure element, by providing third-party application 50 with access to the secure application via content handler 25 and content handler plug-in 51. Finally, data exchange is selectively enabled between widgets/secure applications and third-party applications using the content handler system. As such, mobile client 50 can provide for secure and seamless management of NFC transactions between mobile electronic device 20 and other NFC-enabled devices 31 and/or POS terminals 32, using NFC transceiver 224, regardless of whether the transaction was initiated via the widget, the secure application in the SE, or a third-party application.
Turning now to Fig. 10, a flow chart showing a mobile distribution method in accordance with certain embodiments of the present invention is provided. At step
60, mobile client 40 is generated and includes the plurality of OS-specific and hardware-specific information and requirements which are embedded into mobile client 40 before deployment on each of a plurality of mobile electronic devices 20. For instance, the mobile client can comprise code such as a set of instructions executable in a processor of the mobile electronic device 20 once deployed. At step
61, mobile client 40 is distributed to one or more mobile electronic devices 20 across the wireless network 30 in a conventional manner, or is otherwise installed on the mobile electronic device 20 (e.g., by the device manufacturer). At step 62, OS-independent widgets are developed (e.g., by service providers, mobile network operators, etc.) using the SDK of the widget distribution interface 13, and at step 63 the widgets are wirelessly distributed to the one or more mobile electronic devices 20 over wireless network 30, and provided to mobile client 40. At step 64, should the widget developer desire to update, change, or delete the widget and/or should the widget require an update, change, or deletion, the widget can be appropriately modified without modification of the mobile client 40. Otherwise, the widget continues to reside on the mobile electronic devices 20 throughout the widget's lifecycle, and the method ends.
Turning now to Fig. 11, a system architecture diagram of an integrated distribution and transaction system for NFC services on mobile electronic devices is shown in accordance with further embodiments of the present invention. The distribution and transaction system employs access control mechanisms for widget management, allowing widgets to access only certain secure applications residing in a secure element of a mobile device to enable an NFC transaction. In some embodiments, in addition to any standard access control implemented by the mobile electronic device or by the secure element, the access control system for widget management can filter communication between widgets distributed to the mobile device and secure applications installed on a secure element operatively connected to the mobile device. The featurs and aspects described in figures 1 1-13 can be combined with the embodiments discussed above.
In some embodiments, the distribution and transaction system comprises a server 10' comprising a communication interface, a widget lifecycle management platform (see Fig. 1) having a widget generator 14, and an access control file manager 15. Communication interface 11 can communicate with a plurality of mobile electronic devices (MEDs), such as MED 20, via wireless network 30. As explained above, in some embodiments, the widget generator is a software development kit (SDK) of the widget lifecycle management platform, and the widget is an independent application that is developed using the SDK that can be run on a virtual machine 21 of a mobile electronic device 20. A widget may display multimedia content associated with a secure application and can be used to enable other programs or applications to perform selected tasks or functions.
Access control file manager 15 is a module comprising code which, when executed in the server processor (not shown), is configured to create and/or manage an access control (AC) file, which is described in further detail below. Like the widget lifecycle management platform, which employs the widget generator 14 to provide each widget with a widget certificate, access control file manager 15 likewise provides each AC file with an AC file certificate. The AC file certificate can then be authenticated by virtual machine 21 in a similar fashion as widget certificates are authenticated, once the AC file is provided to MED 20. In some embodiments widget certificates and AC file certificates can function as identification, as each certificate can contain a unique identifier. Additionally, in some embodiments, each certificate can contain human-readable data describing the certificate, public/private access key information, and/or a signature of the certificate authority. Access control file manager 15 can provide an AC file to MED 20 wirelessly over wireless network 30 using communication interface 1 1, and can update or otherwise manage the AC file as necessary.
In accordance with embodiments of the invention, MED 20 can include the virtual machine 21. Virtual machine 21 is an implementation of code stored in memory of MED 20 which, when executed in the MED processor (not shown), provides a widget management platform for managing widgets received by mobile electronic device 20 from the server 10, as described in detail above in the description of Fig. 1. MED 20 can also include NFC transceiver 224 for performing NFC transactions and wireless modem 226 for communicating with wireless network 30. MED 20 can be operatively connected to or coupled with secure element 225 in any manner as described above, and can comprise one or more secure applications. In some embodiments, secure element 225 can be divided into a plurality of secure domains, and secure applications can each be stored in a respective secure domain. NFC transceiver 224 can be configured to communicate with point-of-sale terminals and/or other NFC-enabled devices as described in detail above.
Turning now to Fig. 12, a flow chart showing a method for providing access control for widget management on a mobile electronic device in accordance with certain embodiments of the present invention is provided. The method starts at step 70 when access control file manager 15 generates an AC file where widget information can be stored and referenced for later access, as can be seen in the example of Fig. 13B. At step 71, access control file manager 15 assigns the AC file an AC file certificate which, as explained above, can be used to authenticate the AC file on MED 20. At step 72, widget generator 14 can generate a widget for distribution to MED 20, and at step 73, any widget so-generated is assigned a widget certificate. As indicated above, in some embodiments the widget certificate can be used as a unique identifier. It should be noted that while in this embodiment the AC is described as being generated before the widget, those of ordinary skill in the art will understand that the order in which the widget and AC file are generated can be reversed.
At step 74, the widget certificate is associated with application identification (AID) information relating to one or more secure applications stored in secure element 225. As explained in further detail below, AID information can include an application identifier and one or more descriptors or flags related to a secure application. At step 75, access control file manager 15 references the associated widget certificate and AID information of the one or more secure applications in the AC file. In some embodiments, a reference may be, for example, human-readable data describing the widget certificate and associated secure applications, or may be machine-readable code representative of the association. Each widget generated and distributed to MED 20 can be associated with one or more secure applications, and each association of every widget distributed can be referenced in one master AC file. Alternatively, a plurality of AC files can be provided, each AC file referencing one widget, or one group of widgets, with its respective associations.
Continuing with step 76, server 10 can provide the AC file to MED 20 over wireless network 30, where it is stored in memory of the device. At step 77, the AC file certificate of the AC file can be configured for authentication by virtual machine 21 as discussed above. Similarly, in step 78 a widget can be distributed to MED 20 over wireless network 30 in any conventional manner, and its certificate can be configured for authentication at step 79. Should virtual machine 21 fail to authenticate a widget certificate or AC file certificate for any reason, in some embodiments an alert can be sent to the device operator/owner, a server manager, and/or the certificate authority. It should be noted that while in the above embodiment widget certificates and their associated AID information are described as being referenced in the AC file prior to the AC file being provided to MED 20, in some embodiments the AC file can be provided first, and then access control file manager 15 can provide the relevant data subsequently for referencing. In some embodiments, every time a widget is distributed to MED 20 by server 10, or removed from MED 20, access control file manager 15 automatically updates the AC file residing on MED 20. Updating the AC file can include providing specific new data to memory or a data file, deleting outdated data from memory or a data file, or replacing the AC file in its entirely with a new AC file comprising correct data. As such, the AC file can always reflect the access control details of every widget installed on MED 20. Furthermore, in some embodiments, a copy of the AC file can be concurrently stored and managed on server 10 by access control file manager 15, so that a backup of the widget access control data can be provided if necessary, for example, should the AC file on MED 20 become corrupted or deleted.
Once a widget and an AC file are installed on MED 20 and authenticated by virtual machine 21, at step 80 virtual machine 21 can receive a request from the widget to access a secure application stored in secure element 225. A request may be triggered, of example, when a widget is selected on a user interface of the mobile device, and the widget requires access to a secure application to enable a process, function or action, such as causing an NFC transaction. In accordance with embodiments of the invention, in order for a widget to access a secure application, the widget must specify which secure application it would like to access by providing the AID information of that secure application. Virtual machine 21 can check the local AC file for the AID information to ensure that the widget has provided valid AID information at step 81. If the AID information provided by the widget is not valid, then at step 81 the request is rejected at which point the widget can be prompted to provide another request or the process can end.
Additionally or alternatively, at step 83 virtual machine 21 can check the AC file to confirm that the widget certificate is referenced in the AC file prior to granting access to the secure application. If the widget certificate (widget identifier) is not properly referenced in the AC file, the request will likewise be rejected at step 82. In summary, virtual machine 21 can check that the widget's certificate appears in the AC file and that it is associated with the AID information of the secure application to which it is requesting access. If the widget request does not call the correct AID information, or the widget identifier is not found in the AC file, access will be denied. A notification can be provided in a similar fashion as with invalid certificates. For example, an error message can be displayed on a user interface, or a digital message can be sent, for example via e-mail, text message, or any other suitable means, to a user, or administrator etc. If the widget certificate and associated AID information are properly referenced in the AC file, access is granted at step 84, and the widget can enable the secure application to perform an NFC transaction. As such, virtual machine 21 can act as a proxy and provide an additional layer of access control security.
In some embodiments, the AID information can include a driver provided by secure element manager 23 of Figure 9, and virtual machine 21 can encapsulate the driver information into a second driver which can monitor accessed secure applications. Virtual machine 21 can then keep a record of any access provided to widgets. As mentioned above, in some further embodiments, AID information further include one or more descriptors or flags related to a secure application. In some embodiments, flags can have associated values and can be strings that extend the initial structure of the AID information. A flag can be, for example, a "payment" flag, an "identification" flag, or a "communication" flag, each flag indicating a specific function or feature of the respective secure application. In consequence, flags can be employed to further filter widget access to secure applications based on which flags have been designated and associated with the AID information and the widget.
For example, a secure application may have more than one function or feature, but a widget requesting access to that secure application may only have access rights to access that secure application for one particular function and not another. Therefore, in some embodiments, a widget can only display multimedia content associated with a secure application, or enable the secure application to perform a function, if the widget calls the AID information with the correct flag. In some embodiments, flags can be used as filters to enable virtual machine 21 to quickly determine which widgets can access which secure applications. This can be accomplished by reaching the content of an AC file such as the example AC file shown in Fig. 13B, locating all instances of the flag, and propagating a list for use by the virtual machine 21. For example, in some embodiments a widget can only call "payment" flags. In this instance, the virtual machine can search for all instances where "payment" flags appear in the AC file and then determine if the widget identifier (widget certificate) is associated with that AID information.
Turning now to Fig. 13 A and Fig. 13B, exemplary representations of a widget and an AC file are provided respectively. Fig. 13A shows a widget labeled Widget 1 having a widget certificate labeled Widget Certificate (ID) 1. As mentioned above, while in some embodiments one widget can only access one secure application, in other embodiments one widget can access a plurality of secure applications. In the example of Fig. 13A, Widget 1 is provided with access to Secure Application 1 and Secure Application 2. Secure Application 1 comprises an application identifier AID 1, and a flag connoted by Flag A. Secure Application 2 comprises AID 2, Flag A and Flag B. In this example, should virtual machine 21 search for Flag A, both Secure Application 1 and Secure Application 2 will be accessible, however, should Flag B be searched, only Secure Application 2 will be accessible to the widget.
Fig. 13B shows an example AC file with an AC file certificate, comprising a reference directory of widgets and associated AID information, including application identifiers and flags for each widget. Included in the reference directory is the information relating to access control provided to Widget 1 of Fig. 13 A. It will of course be understood by those of ordinary skill in the art that the format of the depictions of Fig. 13A and Fig. 13B are exemplary in nature, and are meant to convey the organization of access control information provided to widgets and AC files respectively. It should also be understood that such information may be provided as machine readable numeric or alphanumeric code, and that the labels and flags provided should not be understood as limiting.
At this juncture, it should be noted that although much of the foregoing description has been directed to mobile integrated distribution and transaction systems and methods for NFC services, the systems and methods disclosed herein can be similarly deployed and/or implemented in scenarios, situations, and settings far beyond the referenced scenarios. It is to be understood that like numerals in the drawings represent like elements through the several figures, and that not all components and/or steps described and illustrated with reference to the figures are required for all embodiments or arrangements.
Thus, illustrative embodiments and arrangements of the present systems and methods provide a computer implemented method, computer system, and computer program product for providing integrated distribution and transaction systems and methods for NFC services related to mobile electronic devices. The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments and arrangements. In this regard, each block in the flowchart or block diagrams can represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The functions describe herein can be implemented by hardware and or hardware executing code (also known as programs, software, or software applications) which include machine instructions for a programmable processor, and can be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms machine-readable storage medium and computer-readable storage medium refer to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable storage medium that receives machine instructions as a machine-readable signal. The term machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor. A machine-readable storage medium does not include a machine-readable signal.
The systems and techniques described here can be implemented in a computing system that includes a back end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front end component (e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back end, middleware, or front end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (LAN), a wide area network (WAN), and the Internet.
The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any implementation or of what may be claimed, but rather as descriptions of features that may be specific to particular embodiments of particular implementations. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising", when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should be noted that use of ordinal terms such as "first," "second," "third," etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term) to distinguish the claim elements,
Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of "including," "comprising," or "having," "containing," "involving," and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items.
Particular embodiments of the subject matter described in this specification have been described. Other embodiments are within the scope of the following claims. For example, the actions recited in the claims can be performed in a different order and still achieve desirable results. As one example, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.

Claims

WHAT IS CLAIMED IS:
1. A mobile distribution system, installed on a mobile electronic device having a processor, memory, and code in the memory for implementing a particular mobile operating system in the processor, and being operatively coupled to a secure element having one or more secure applications, the system comprising: a virtual machine configured to execute in the processor to provide a runtime environment capable of running a plurality of widgets and configured to enable the plurality of widgets to be operable on any of a plurality of mobile operating systems including the particular mobile operating system; and
a secure element manager configured to enable at least one widget of the lurality of widgets to read from or write to the secure element by providing the at least one widget with access to a corresponding one of the one or more secure applications stored in the secure element, and enabling the mobile electronic device to perform at least one NFC transaction using the corresponding one of the one or more secure applications;
wherein the secure element manager is configured to create an instance of a configured driver enabling access to the secure element in response to a request by the at least one widget to access the secure element; and
wherein the secure element manager is configured to provide access to a plurality of secure elements.
2. The system of claim 1, further comprising:
a content handler configured to provide at least one of the following: communication between a third-party application installed on the mobile electronic device and the at least one widget; and communication between the third-party application installed on the mobile electronic device and the corresponding one of the one or more secure applications stored in the secure element; and a content handler plug-in, the content handler plug-in being implemented in the third-party application, and enabling the third-party application to operatively communicate with the content handler.
. The system of claim 2, the content-handler plug-in further comprising:
a unified reference locator (URL) of the content handler for connection to the content handler; and
at least one widget identifier associated with the at least one widget; wherein the at least one widget identifier is presented to the content handler via the URL to enable access by the third-party application to the at least one widget.
4. The system of claim 3, the virtual machine further configured to perform at least one of the following:
initiate a download of the at least one widget from a widget distribution interface over a wireless network when the at least one widget identifier associated with the at least one widget is presented to the content handler by the third-party application, but the at least one widget is not presently installed on the mobile electronic device; and
initiate a download of the third-party application from a third-party application distribution interface over the wireless network when the at least one widget attempts to communicate with the third-party application, but the third-party application is not presently installed on the mobile electronic device.
5. The system of claim 1, further comprising: an extensions manager configured using code executed in the processor to provide communication between at least one of the virtual machine and the secure element manager, and a plurality of extensions associated with the plurality of mobile operating systems.
6. The system of claim 1, wherein:
each of the plurality of widgets is configured to be operable in the runtime environment, using code executing in the processor, without necessitating configuration directly with the plurality of mobile operating systems; and wherein
each of the plurality of widgets can be added, removed, or updated without necessitating alteration of the runtime environment.
7. The system of claim 1, wherein: the plurality of widgets are configured for authentication by the virtual machine; and wherein
the secure element manager is configured to provide the at least one widget with access to the corresponding one of the one or more secure applications in response to the authentication by the virtual machine.
8. The system of claim 1, wherein the at least one widget displays multimedia content associated with the corresponding one of the one or more secure applications.
9. The system of claim 1, wherein the secure element is divided into a plurality of secure domains, and each of the one or more secure applications is stored in a respective secure domain.
10. The system of claim 1, wherein the corresponding one of the one or more secure applications comprises at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, and a ticketing application.
1 1. The system of claim 1, wherein the at least one secure element comprises at least one of a secure SIM card, a secure memory card, and secure internal memory.
12. A method of providing a mobile distribution system, for use on a mobile
electronic device having a processor, memory, and code in the memory for implementing a particular mobile operating system in the processor, and being operatively coupled to a secure element having one or more secure applications, the method comprising:
generating a mobile client for distribution over a wireless network to the mobile electronic device, the mobile client comprising at least the following:
a virtual machine configured to execute in the processor to provide a runtime environment capable of running a plurality of widgets and configured to enable the plurality of widgets to be operable on any of a plurality of mobile operating systems including the particular mobile operating system; and
a secure element manager configured to enable at least one widget of the plurality of widgets to read from or write to the secure element by providing the at least one widget with access to a corresponding one of the one or more secure applications stored in the secure element, and enabling the mobile electronic device to perform at least one NFC transaction using the corresponding one of the one or more secure applications;
wherein the secure element manager is configured to create an instance of a configured driver enabling accessing to the secure element in response to a request by the at least one widget to access the secure element; and
wherein the secure element manager is configured to provide access to a plurality of secure elements; and distributing the mobile client to the mobile electronic device.
13. The method of claim 12, the mobile client further comprising:
a content handler configured to provide at least one of the following: communication between a third-party application installed on the mobile electronic device and the at least one widget; and communication between the third-party application installed on the mobile electronic device and the corresponding one of the one or more secure applications stored in the secure element; and a content handler plug-in, the content handler plug-in being implemented in the third-party application, and enabling the third-party application to operatively communicate with the content handler.
14. The method of claim 13 the content-handler plug-in further comprising:
a unified reference locator (URL) of the content handler for connection to the content handler; and
at least one widget identifier associated with the at least one widget; wherein the at least one widget identifier is presented to the content handler via the URL to enable access by the third-party application to the at least one widget.
15. The method of claim 14, further comprising:
initiating a download of the at least one widget from a widget distribution interface over the wireless network when the at least one widget identifier associated with the at least one widget is presented to the content handler by the third-party application, but the at least one widget is not presently installed on the mobile electronic device; and
initiating a download of the third-party application from a third-party application distribution interface over the wireless network when the at least one widget attempts to communicate with the third-party application, but the third-party application is not presently installed on the mobile electronic device.
16. The method of claim 10, the mobile client further comprising: an extensions manager configured using code executed in the processor to provide communication between at least one of the virtual machine and the secure element manager, and a plurality of extensions associated with the plurality of mobile operating systems.
17. The method of claim 12, further comprising:
generating the plurality of widgets, each of the plurality of widgets configured to be operable in the runtime environment, using code executing in the processor, without necessitating configuration directly with the plurality of mobile operating systems, and each of the plurality of widgets configured to be added, removed, or updated without necessitating alteration of the runtime environment; and
distributing the plurality of widgets to the mobile electronic device over the wireless network.
18. The method of claim 12, wherein:
the plurality of widgets are configured for authentication by the virtual machine; and wherein the secure element manager is configured to provide the at least one widget with access to the corresponding one of the one or more secure applications in response to the authentication by the virtual machine.
19. The method of claim 12, wherein the at least one widget displays multimedia content associated with the corresponding one of the one or more secure applications.
20. The method of claim 12, wherein the secure element is divided into a plurality of secure domains, and each of the one or more secure applications is stored in a respective secure domain.
21. The method of claim 12, wherein the corresponding one of the secure
applications comprises at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, and a ticketing application.
22. The method of claim 12, wherein the at least one secure element comprises at least one of a secure SIM card, a secure memory card, and secure internal memory.
23. A method for providing access control for widget management on a mobile electronic device having a processor, a memory, code in the memory for implementing in the processor a virtual machine, and an NFC transceiver, the mobile electronic device being operatively coupled to a secure element and being in wireless communication with a server over at least one wireless network, the server having a server processor and a server memory, the method comprising:
generating, by the server, a widget having a widget certificate;
associating, by the server, the widget certificate with application identification
(AID) information corresponding to at least one secure application stored in the secure element;
referencing, by the server, the widget certificate and the associated AID information in an access control (AC) file having an AC file certificate; providing, by the server, the AC file to the mobile electronic device over the wireless network;
configuring the widget certificate and the AC file for authentication; and determining whether to provide the widget with access to the at least one secure application to enable the at least one secure application to perform at least one NFC transaction;
wherein, in response to the authentication of the widget certificate and the AC file certificate, the virtual machine is configured to provide the widget with access to the at least one secure application when at least one of:
(a) the widget specifies the associated AID information of the at least one secure application referenced in the AC file, and
(b) the widget certificate referenced in the AC file matches the authenticated widget certificate.
24. The method of claim 23, further comprising updating the AC file when a widget is added to, modified on, or removed from the mobile electronic device.
25. The method of claim 23, wherein configuring the widget certificate for
authentication comprises verifying the widget certificate by the virtual machine upon distribution of the widget to the mobile electronic device; and wherein configuring the AC file for authentication comprises verifying the AC file certificate by the virtual machine upon providing the AC file to the mobile electronic device.
26. The method of claim 23, wherein the AID information comprises an application identifier and at least one access control flag, further comprising configuring the virtual machine to filter widget access to the at least one secure application based on the at least one access control flag.
27. The method of claim 26, further comprising displaying via the widget
multimedia content associated with the at least one secure application to which access has been provided based on the at least one access control flag.
28. The method of claim 26, wherein the at least one access control flag is at least one of a payment flag, an identification flag, and a communication flag.
29. The method of claim 23, further comprising dividing the secure element into a plurality of secure domains, and storing the at least one secure application in a respective secure domain.
30. The method of claim 23, further comprising configuring the widget to respond to the at least one NFC transaction occurring by retrieving information on the at least one NFC transaction associated with the secure application.
31. The method of claim 23, wherein the at least one secure application comprises at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, and a ticketing application.
32. The method claim 23, wherein the at least one secure element comprises at least one of a secure SIM card, a secure memory card, and secure internal memory.
33. A system for providing widget access control management on a mobile
electronic device having a processor, a memory, code in the memory for implementing in the processor a virtual machine, and an NFC transceiver, the mobile electronic device being operatively coupled to a secure element and being in wireless communication with a server over at least one wireless network, the server having a server processor and a server memory, the system comprising:
a widget generator for creating a widget having a widget certificate and application identification (AID) information corresponding to at least one secure application stored in the secure element and associated with the widget;
an Access Control (AC) file manager for managing data stored in an AC file having an AC file certificate; and
a communication interface for distributing the widget and the AC file to the mobile electronic device over the at least one wireless network;
wherein the widget certificate and the AID information of the associated at least one secure application are stored by the AC file manager in the AC file; wherein the widget certificate and the AC file are configured for authentication; and
wherein, in response to a request by the widget to enable the at least one secure application to perform at least one NFC transaction, and subject to the authentication of the widget certificate and the AC file certificate, the virtual machine is configured to provide the widget with access to the at least one secure application when at least one of:
(a) the widget specifies the associated AID information of the at least one secure application referenced in the AC file, and
(b) the widget certificate referenced in the AC file matches the authenticated widget certificate.
34. The system of claim 33, wherein the AC file manager is further configured to update the AC file when a widget is added to, modified on, or removed from the mobile electronic device.
35. The system of claim 33, wherein the widget is configured for authentication through verification of the widget certificate by the virtual machine upon distribution of the widget to the mobile electronic device; and
wherein the AC file is configured for authentication through verification of the
AC file certificate by the virtual machine upon providing the AC file to the mobile electronic device.
36. The system of claim 33, wherein the AID information comprises an application identifier and at least one access control flag, wherein the virtual machine is further configured to filter widget access to the at least one secure application based on the at least one access control flag.
37. The system of claim 36, wherein the widget is further configured to display multimedia content associated with the at least one secure application to which access has been provided based on the at least one access control flag.
38. The system of claim 36, wherein the at least one access control flag is at least one of a payment flag, an identification flag, and a communication flag.
39. The system of claim 33, wherein the secure element is divided into a plurality of secure domains, and wherein the at least one secure application is stored in a respective secure domain.
40. The system of claim 33, wherein the widget is configured to respond to the at least one NFC transaction occurring by retrieving information on the at least one NFC transaction associated with the secure application.
41. The system of claim 33, wherein the at least one secure application comprises at least one of a transport application, a credit/debit application, a coupon application, a secure access application, a loyalty card application, an electronic purse application, and a ticketing application.
42. The system of claim 33, wherein the at least one secure element comprises at least one of a secure SIM card, a secure memory card, and secure internal memory.
EP14815864.5A 2013-07-03 2014-07-03 A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof Withdrawn EP3017394A2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/934,726 US8958746B2 (en) 2009-12-11 2013-07-03 Mobile integrated distribution and transaction system and method for NFC services, and a mobile electronic device thereof
US13/964,680 US8942672B2 (en) 2009-12-11 2013-08-12 Mobile integrated distribution and transaction system and method for NFC services, and a mobile electronic device thereof
PCT/IB2014/002329 WO2015008167A2 (en) 2013-07-03 2014-07-03 A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof

Publications (1)

Publication Number Publication Date
EP3017394A2 true EP3017394A2 (en) 2016-05-11

Family

ID=52134250

Family Applications (1)

Application Number Title Priority Date Filing Date
EP14815864.5A Withdrawn EP3017394A2 (en) 2013-07-03 2014-07-03 A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof

Country Status (4)

Country Link
EP (1) EP3017394A2 (en)
CN (1) CN105830084B (en)
EA (1) EA201690052A1 (en)
WO (1) WO2015008167A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302544A (en) * 2017-08-15 2017-10-27 迈普通信技术股份有限公司 Certificate request method, wireless access control equipment and wireless access point device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108701300A (en) * 2015-11-30 2018-10-23 信赛克香港有限公司 Multi-scheme pays mobile device and system
EP3836503A1 (en) * 2019-12-10 2021-06-16 Nxp B.V. Access control for near field communication functions

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101657836A (en) * 2007-01-09 2010-02-24 维萨美国股份有限公司 Mobile phone payment process including threshold indicator
JP2011501830A (en) * 2007-11-13 2011-01-13 ノキア コーポレイション Method and apparatus comprising a browser
CN101359383A (en) * 2008-09-23 2009-02-04 中国移动通信集团广东有限公司 Non-contact card application management system and management method based on mobile communication
WO2011153688A1 (en) * 2010-06-09 2011-12-15 香港商多隆科技有限公司 System, method and readable media for mobile distribution and transaction applied in near field communication (nfc) service
BR112014008941A2 (en) * 2011-10-12 2017-05-02 C-Sam Inc platform that enables secure multilayer mobile transactions

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO2015008167A2 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302544A (en) * 2017-08-15 2017-10-27 迈普通信技术股份有限公司 Certificate request method, wireless access control equipment and wireless access point device
CN107302544B (en) * 2017-08-15 2019-09-13 迈普通信技术股份有限公司 Certificate request method, wireless access control equipment and wireless access point device

Also Published As

Publication number Publication date
CN105830084B (en) 2018-11-16
CN105830084A (en) 2016-08-03
WO2015008167A2 (en) 2015-01-22
WO2015008167A3 (en) 2015-07-02
EA201690052A1 (en) 2016-08-31

Similar Documents

Publication Publication Date Title
US8942672B2 (en) Mobile integrated distribution and transaction system and method for NFC services, and a mobile electronic device thereof
US11039301B2 (en) Apparatuses, methods and systems for implementing a system-on-chip with integrated reprogrammable cellular network connectivity
US8958746B2 (en) Mobile integrated distribution and transaction system and method for NFC services, and a mobile electronic device thereof
EP2211480B1 (en) Wireless communication device for providing at least one near field communication service
US8532572B2 (en) Mobile integrated distribution and transaction system and method for NFC services, and a mobile electronic device thereof
US10516990B2 (en) Apparatuses, methods and systems for implementing a trusted subscription management platform
CN103530775B (en) Method and system for providing a controllable trusted service management platform
KR102318877B1 (en) Apparatus and method for displaying user interface
US8630747B2 (en) Alternative authorization for telematics
US20110072425A1 (en) Method for installing and managing nfc applications with pictures
GB2457221A (en) Smart Card Web Server (SCWS) administration within a plurality of security domains
EP2764481B1 (en) Method and system for executing a contactless transaction allowing multiple applications and multiple instances of the same application
WO2012068292A1 (en) System and method for physical-world based dynamic contactless data emulation in a portable communication device
EP3044902A1 (en) Systems and methods for providing secure digital identification
KR20130116905A (en) System and method for managing mobile wallet and its related credentials
US10902307B1 (en) Universal integrated circuit card (UICC) toolkit
EP3257281A1 (en) Communication with plurality of cellular networks using cellular modem and virtual subscriber identity modules stored in software-based embedded universal integrated circuit card (euicc)
US20190246266A1 (en) Apparatuses, methods and systems for implementing a system-on-chip with integrated reprogrammable cellular network connectivity
WO2013098117A1 (en) A method to manage contactless communication in a user device
EP3017394A2 (en) A moblie integrated distribution and transaction system and method for nfc services, and a mobile electronic device thereof
EP2582062A1 (en) System, method and readable media for mobile distribution and transaction applied in near field communication (nfc) service
Roduner et al. BIT—A framework and architecture for providing digital services for physical products
Munch-Ellingsen et al. Customer managed security domain on mobile network operators’ SIM cards: Opportunities to enable new business models
Ergeerts et al. Vision towards an open electronic wallet on NFC smartphones
Dhanabal NFC connection handover protocol: an application prototype

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20160202

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAX Request for extension of the european patent (deleted)
17Q First examination report despatched

Effective date: 20190321

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20191001