Download presentation
Presentation is loading. Please wait.
Published byJunior Goodman Modified over 8 years ago
1
A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian
2
Introduction Mobile devices are rapidly replacing desktop computers Users can do a wide variety of tasks in mobile devices Mobile applications come into play Ubiquitous Technology http://www.sdgc.com/sites/default/files/pdfs/mobile_applicaton_security_framework_wp.pdf 2
3
Motivation Can Access Control be Leveraged for Mobile Computing? Role-Based, Discretionary, Mandatory Other Possible Access Control Models? Where do we Define and Enforce Access Control? User Interface? Mobile App API? Server/Database/Repository? 3
4
Main Research Questions Issue: Highly-sensitive data in mobile applications How to protect it? Who should be able to access it? What should be shown to each user? How to integrate fine grained access control in mobile applications? Where to do the integration? 4
5
Big Picture 5
6
Proposed Configurable Framework Existing mobile App Existing mobile App API Existing mobile App API Existing Mobile App Server (Database, Web and/or Cloud) Existing Mobile App Server (Database, Web and/or Cloud) Optional Permissions on Screens, UI Widgets, etc. Realize & Enforce Permissions Optional Permissions on APIs The Configurable Framework and its Interactions with the Mobile App Infrastructure. Configurable Framework RBAC, MAC, and DAC Direct UI Modifications Intercepting API Calls Direct Server Modifications 6
7
Expected Research Contributions Multiple and Configurable Access Control Models Fine-grained Permission Definition and Enforcement Security Policy Generation: –Use of Access Control models in security policies Security Policy Integration: –Security policies in diverse layers of a mobile application 7
8
Remainder of Presentation Background Proposed Framework – Focus on RBAC Direct UI Modifications –General Idea –Authorization & Enforcement Process –Implementation –Permission Definition Intercepting API calls –Architecture –General Idea –Policies & Pseudo Code –Implementation Example Conclusion & Future Work 8
9
Background Mobile Application –Native, Hybrid, Web Access Control –Role-Based Access Control (RBAC) Application Programming Interface (API) –JSON/REST 9
10
Mobile Application Structure Logical Architecture Proposed Framework 10
11
Direct UI Modifications Role-Based Access Control (RBAC) for Mobile Applications Apply RBAC to a mobile app’s UI Policies stored in the Database Conditional statements are placed throughout the code Communication through APIs 11
12
General Idea 12
13
Authorization & Enforcement Process 13
14
Implementation Connecticut Concussion Tracker (CT 2 ) Developed in support of a new law passed in the state of Connecticut to track concussions of kids between ages 7 to age 19 in public schools (CT Law HB6722) Roles: Nurse, Athletic Trainer, Coach, Parent 14 NurseAT/ParentCoach
15
Permission Definition in CT 2 Screens: Show Hide Buttons: Enabled Disabled Text Fields, Drop Downs, Date Pickers: View Edit Edit Once 15
16
Intercepting API Calls Place all the security policies in the API/DB Do not change source code (look-and-feel) Disable the delivery of content: Return filtered data to the mobile application Insert/update actions: Before inserting information in the database Retrieval actions: Perform RBAC checks after the information is retrieved from the database 16
17
Architecture Part 1: Existing components of mobile application Define permissions on these Part 2: Data in the DB (does not get modified) Part 3: Addition and enforcement of security policies in DB and API 17
18
General Idea 18
19
Policies & Pseudo Code Security policy tables in the database API function pseudo code 19
20
Implementation Example Coach role: –Add basic information about a student –Add information in the ‘Cause’ screen -> view it but not edit it –Attempts to edit cause -> Blocks the attempt –Does not have permission to view nor edit the ‘Symptoms’, ‘Follow-Up’ and ‘Return’ screens -> Will block the content 20
21
Conclusion & Future Work Proposed a framework to achieve fine- grained access control in mobile applications Presented two approaches that could be part of the framework Mobile Application Management (MAM) –Application Wrapper Focus on the backend of the mobile application (API/server/DB) 21
22
Questions? Introduction Motivation Main Research Questions Big Picture Expected Research Contributions Background Proposed Framework Direct UI Modifications Intercepting API Calls Conclusion & Future Work 22
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.