Security, fraud detection, and fraud mitigation in device-assisted services systems

The invention claimed is: 1. A method of operating a network system, the method comprising: receiving a first request from any first device in a plurality of similar wireless end-user devices, the first request for a secure device credential, performing a verification step of one or more device identifiers supplied by the first device, and, upon a successful verification in the verification step, generating a secure device credential for the first device, associating the secure device credential with one or more device identifiers of the first device, and securely sending the secure device credential to the wireless end-user device; based at least in part on the secure device credential, negotiating a secure message link between a message link server in the network system and a device link agent in the first device; receiving, over the secure message link, a second request from the first device, the second request for a secured application credential, for any first application identified from a plurality of device applications registered to use wireless network communications, the second request comprising a general application credential for the first application; and in response to the second request, generating, based on the identified first application and the secure device credential, a first secured application credential unique to the first device, and sending the first secured application credential to the first device over the secure message link. 2. The method of claim 1 , wherein generating the first secured application credential comprises creating a combination of the general application credential and the secure device credential. 3. The method of claim 1 , further comprising, in response to receiving the first request and prior to performing the verification step, returning to the first device a network system credential that is verifiable through a trusted certificate authority. 4. The method of claim 1 , wherein generating a secure device credential for the first device comprises encrypting the credential with a key known by at least one element of the network system. 5. The method of claim 1 , further comprising routing a network message to the identified first application over the secure message link, using the first secured application credential to indicate that the identified first application is to receive the network message. 6. The method of claim 1 , wherein the first secured application credential is a run-time application credential. 7. The method of claim 6 , further comprising receiving, from the device link agent over the secure message link, the run-time application credential, and evaluating the run-time application credential at an element of the network system. 8. The method of claim 7 , further comprising, in response to evaluating the run-time application credential, returning a network policy setting over the secure message link to the device link agent, the network policy setting applicable to the first application. 9. The method of claim 7 , wherein the element of the network system is an authentication server, the network system further comprising an application credential database coupled to the authentication server and storing secured application credentials, including the first secured application credential. 10. The method of claim 1 , further comprising based on a first device event, refreshing the first secured application credential to create a different secured application credential unique to the first device, and sending the different secured application credential to the first device, the different credential superseding the first secured application credential. 11. The method of claim 1 , further comprising, in response to the second request, verifying that the general application credential matches a known-application credential for the first application. 12. The method of claim 11 , wherein the known-application credential is uploaded to the network system via an application developer service design center. 13. The method of claim 11 , further comprising obtaining the known-application credential from an app store. 14. The method of claim 1 , the verification step further comprising evaluating a subscriber identifier associated with one or more wireless end-user devices, including the first device. 15. The method of claim 14 , further comprising generating the secure device credential based at least in part on one or more of the device identifiers and also on the subscriber identifier. 16. The method of claim 1 , further comprising forwarding network messages to the first application on the first device over the secure message link, based on the first secured application credential. 17. The method of claim 1 , wherein the secure device credential is a credential associated with a service processor on the first device, the method further comprising confirming the identity of the service processor based at least in part on the secure device credential. 18. The method of claim 1 , wherein a first subscriber is associated with both the first device and with a second wireless end-user device, the method further comprising the network system generating, based on the identified first application and a second secure device credential associated with the second device, a second secured application credential unique to the second device. 19. The method of claim 2 , wherein the combination comprises a hash.