Device activity and data traffic signature-based detection of mobile device health

What is claimed is: 1 . A method comprising: monitoring data traffic and other activity associated with a computing device; creating a device activity signature of the data traffic and other device behavior that includes an abstraction of the activity and data traffic; determining a classification of the device activity signature; and applying a policy decision for the computing device based on the determined classification. 2 . The method of claim 1 , wherein monitoring the device activity includes collecting device and application activity data recorded by an operating system associated with the device and stored in counters, logs, or system files, or collecting activity directly from hardware device or mobile application. 3 . The method of claim 1 , wherein monitoring the device activity includes utilizing data collection software installed on the computing device. 4 . The method of claim 1 , wherein creating the device activity signature includes characterizing at least one of: all traffic from the computing device or traffic associated with individual applications executed by the computing device. 5 . The method of claim 1 , wherein creating the device activity signature includes at least one of: a byte volume of traffic, a connection volume, a number of application errors, a type of application error, network destination, network protocol, application protocol, IP port, patterns in the content of the transmission, device location, network technology in use, application transmitting or receiving the data, and an indication whether the screen is on or off and/or whether the user is engaging in other activity on the device such as typing or talking. 6 . The method of claim 1 , wherein determining a classification of the device activity signature includes classifying the device activity signature as either normal or anomalous. 7 . The method of claim 1 , wherein determining a classification of the device activity signature includes determining one of a degree of similarity or a degree of difference between the device activity signature and a reference device activity signature. 8 . The method of claim 7 , wherein the reference device activity signature includes one of: a device behavior or traffic signature based on a population of devices similar to the computing device or a signature associated with the computing device at a previous time. 9 . The method of claim 1 , further comprising updating the device activity signature to incorporate an expected signature based on user-initiated changes to applications installed on the computing device. 10 . The method of claim 9 , wherein the expected signature is associated with installing and executing a new application on the computing device. 11 . The method of claim 9 , wherein expected signature includes increased data traffic for an application that is associated with an increase in user screen time for the application. 12 . The method of claim 9 , wherein the expected signature includes a gradual increase in the volume of the data traffic over a predetermined period of time. 13 . The method of claim 9 , wherein the expected signature includes use of a new communication port known to be associated with installation and execution of a user-initiated application on the computing device. 14 . The method of claim 1 , wherein applying the policy decision includes at least one of: logging the monitored data traffic, providing an alert to a user, preventing an application or service from being executed by the computing device, or other action applied in response to device's non-optimal behavior. 15 . A system comprising: a monitoring module configured to monitor data traffic and other activity associated with a computing device; a device activity signature module configured to create a signature of the device traffic and behavior that includes an abstraction of the data traffic and other device activity; and a policy decision module configured to determine a classification of the device activity signature and to apply a policy decision for the computing device based on the determined classification. 16 . The system of claim 15 , wherein the monitoring module is configured to collect device and application activity data recorded by an operating system associated with the device and stored in counters, logs, or system files, or collecting activity directly from hardware device or mobile application. 17 . The system of claim 15 , wherein the monitoring module is configured to utilize data collection software installed on the computing device. 18 . The system of claim 15 , wherein the device activity signature module is configured to characterize at least one of: all traffic from the computing device or traffic associated with individual applications executed by the computing device. 19 . The system of claim 15 , wherein the device activity signature module is configured to create the traffic signature including at least one of: a byte volume of traffic, a connection volume, a number of application errors, network destination, network protocol, application protocol, IP port, patterns in the content of the transmission, device location, network technology in use, application transmitting or receiving the data, a type of application error, and an indication whether the screen is on or off and/or whether the user is engaging in other activity on the device such as typing or talking. 20 . The system of claim 15 , wherein the policy decision module is configured to classify the signature as either normal or anomalous. 21 . The system of claim 15 , wherein the policy decision module is configured to determine one of a degree of similarity or a degree of difference between the signature and a reference activity signature. 22 . The system of claim 21 , wherein the reference device activity signature includes one of: a device behavior or traffic signature based on a population of devices similar to the computing device or a signature associated with the computing device at a previous time. 23 . The system of claim 15 , wherein the device activity signature module is configured to update the device behavior or traffic signature to incorporate an expected signature based on user-initiated changes to applications installed on the computing device. 24 . The system of claim 23 , wherein the expected signature is associated with installing and executing a new application on the computing device. 25 . The system of claim 23 , wherein expected signature includes increased data traffic for an application that is associated with an increase in user screen time for the application. 26 . The system of claim 23 , wherein the expected signature includes a gradual increase in the volume of the data traffic over a predetermined period of time. 27 . The system of claim 23 , wherein the expected signature includes use of a new communication port known to be associated with installation and execution of a user-initiated application on the computing device. 28 . The system of claim 15 , wherein the policy decision module is configured to apply the policy decision including at least one of: logging the monitored data traffic, providing an alert to a user, preventing an application or service from being executed by the computing device, or other action applied in response to device's non-optimal beha