A method for session creation is provided. The method includes: acquiring a signing certificate of a first application or a digital fingerprint of the signing certificate when performing network connection; matching the signing certificate of the first application or the digital fingerprint of the signing certificate with application descriptors in a UE route selection policy (URSP) rule distributed by a network side; and creating a session for the first application.

An apparatus and system to provide separate network slices for security events are described. A dedicated secure network slice is provided for PDP data from a UE. The network slice is used for detecting security issues and sending security-related information to clients. The communications in the dedicated network slice are associated with a special PDP context used by the UE to interface with the network slice. Once the UE has detected a security issue or has been notified of the security issue on the network or remote servers, the UE uses a special PDP service, and is able to stop uplink/downlink channels, close running applications and enter into a sate mode, cut off connections to the networks, and try to determine alternate available connectivity.

An apparatus and system to provide separate network slices for security events are described. A dedicated secure network slice is provided for PDP data from a UE. The network slice is used for detecting security issues and sending security-related information to clients. The communications in the dedicated network slice are associated with a special PDP context used by the UE to interface with the network slice. Once the UE has detected a security issue or has been notified of the security issue on the network or remote servers, the UE uses a special PDP service, and is able to stop uplink/downlink channels, close running applications and enter into a sate mode, cut off connections to the networks, and try to determine alternate available connectivity.

An approach for providing security information to a device to enable the device to secure end-to-end data communication with an end server. The security information is downloaded to a SIM of the device in response to an authentication message issued by the device. The security information is secured within the SIM so that it can only be accessed/interpreted using a first key associated with the device. The securing is performed based on identity data, identifying the device or components thereof, contained in the authentication message.

Methods and devices for provisioning a secure application on an electronic device with first issuer data for a first issuer are described. In an embodiment, the provisioning system receives and stores first issuer records. The example provisioning system receives a provisioning request to provision the secure application with the first issuer data. The provisioning request includes identifying information. The example provisioning system evaluates the provisioning request based on at least one of the first issuer evaluation criteria, the first issuer records and the identifying information in the provisioning request. When the provisioning request satisfies the first issuer evaluation criteria, the example provisioning system generates a signal using the communication module to provide the first issuer data to the electronic device to provision the secure application on the electronic device.

Methods and devices for provisioning a secure application on an electronic device with first issuer data for a first issuer are described. In an embodiment, the provisioning system receives and stores first issuer records. The example provisioning system receives a provisioning request to provision the secure application with the first issuer data. The provisioning request includes identifying information. The example provisioning system evaluates the provisioning request based on at least one of the first issuer evaluation criteria, the first issuer records and the identifying information in the provisioning request. When the provisioning request satisfies the first issuer evaluation criteria, the example provisioning system generates a signal using the communication module to provide the first issuer data to the electronic device to provision the secure application on the electronic device.

An authentication system is disclosed which is configured, in response to receiving a request to authenticate a transaction, to send a first challenge to a mobile terminal via a first channel and, in response to receiving a first response to the first challenge to determine whether the first response is correct, to send a second challenge to the mobile terminal via a second, different channel and, in response to receiving a second response to the second challenge to determine whether the second response is correct, and, in dependence upon the first and second responses being correct, to signal that the transaction is authenticated.

A new control function is defined for the control plane of a 5G mobile network to enable the operator's mobile user, who is using a premium network slice, to access application services on the public Internet, by operator sign-on only when accessing the application on said slice. This unique single sign-on capability allows the user to bypass the service authentication after operator authenticates the mobile device by the user session establishment procedure. The new function registers a plurality of service applications, which sign-up for single sign-on capability. It also coordinates the mapping and storage of credentials of the user across the mobile operator's service and the service provider's application for each of said plurality of service applications, and transfers user credentials to the application so that the user's sign-in step is bypassed.

Methods, systems, and computer readable media for resource cleanup in communications networks are disclosed. One method for resource cleanup in a communications network comprises: at a policy control function (PCF) comprising at least one processor: receiving, from a binding support function (BSF), a first notification indicating a potentially stale or inactive first binding record, wherein the first notification includes context data associated with the first binding record; determining that resource cleanup associated with the first binding record should be performed; and initiating, using the context data, resource cleanup associated with the first binding record at one or more network entities.

Methods, systems, and computer readable media for resource cleanup in communications networks are disclosed. One method for resource cleanup in a communications network comprises: at a policy control function (PCF) comprising at least one processor: receiving, from a binding support function (BSF), a first notification indicating a potentially stale or inactive first binding record, wherein the first notification includes context data associated with the first binding record; determining that resource cleanup associated with the first binding record should be performed; and initiating, using the context data, resource cleanup associated with the first binding record at one or more network entities.