Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian.

Published byJunior Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian."— Presentation transcript:

1 A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian

2 Introduction Mobile devices are rapidly replacing desktop computers Users can do a wide variety of tasks in mobile devices Mobile applications come into play Ubiquitous Technology http://www.sdgc.com/sites/default/files/pdfs/mobile_applicaton_security_framework_wp.pdf 2

3 Motivation Can Access Control be Leveraged for Mobile Computing? Role-Based, Discretionary, Mandatory Other Possible Access Control Models? Where do we Define and Enforce Access Control? User Interface? Mobile App API? Server/Database/Repository? 3

4 Main Research Questions Issue: Highly-sensitive data in mobile applications How to protect it? Who should be able to access it? What should be shown to each user? How to integrate fine grained access control in mobile applications? Where to do the integration? 4

5 Big Picture 5

6 Proposed Configurable Framework Existing mobile App Existing mobile App API Existing mobile App API Existing Mobile App Server (Database, Web and/or Cloud) Existing Mobile App Server (Database, Web and/or Cloud) Optional Permissions on Screens, UI Widgets, etc. Realize & Enforce Permissions Optional Permissions on APIs The Configurable Framework and its Interactions with the Mobile App Infrastructure. Configurable Framework RBAC, MAC, and DAC Direct UI Modifications Intercepting API Calls Direct Server Modifications 6

7 Expected Research Contributions Multiple and Configurable Access Control Models Fine-grained Permission Definition and Enforcement Security Policy Generation: –Use of Access Control models in security policies Security Policy Integration: –Security policies in diverse layers of a mobile application 7

8 Remainder of Presentation Background Proposed Framework – Focus on RBAC Direct UI Modifications –General Idea –Authorization & Enforcement Process –Implementation –Permission Definition Intercepting API calls –Architecture –General Idea –Policies & Pseudo Code –Implementation Example Conclusion & Future Work 8

9 Background Mobile Application –Native, Hybrid, Web Access Control –Role-Based Access Control (RBAC) Application Programming Interface (API) –JSON/REST 9

10 Mobile Application Structure Logical Architecture Proposed Framework 10

11 Direct UI Modifications Role-Based Access Control (RBAC) for Mobile Applications Apply RBAC to a mobile app’s UI Policies stored in the Database Conditional statements are placed throughout the code Communication through APIs 11

12 General Idea 12

13 Authorization & Enforcement Process 13

14 Implementation Connecticut Concussion Tracker (CT 2 ) Developed in support of a new law passed in the state of Connecticut to track concussions of kids between ages 7 to age 19 in public schools (CT Law HB6722) Roles: Nurse, Athletic Trainer, Coach, Parent 14 NurseAT/ParentCoach

15 Permission Definition in CT 2 Screens: Show Hide Buttons: Enabled Disabled Text Fields, Drop Downs, Date Pickers: View Edit Edit Once 15

16 Intercepting API Calls Place all the security policies in the API/DB Do not change source code (look-and-feel) Disable the delivery of content: Return filtered data to the mobile application Insert/update actions: Before inserting information in the database Retrieval actions: Perform RBAC checks after the information is retrieved from the database 16

17 Architecture Part 1: Existing components of mobile application Define permissions on these Part 2: Data in the DB (does not get modified) Part 3: Addition and enforcement of security policies in DB and API 17

18 General Idea 18

19 Policies & Pseudo Code Security policy tables in the database API function pseudo code 19

20 Implementation Example Coach role: –Add basic information about a student –Add information in the ‘Cause’ screen -> view it but not edit it –Attempts to edit cause -> Blocks the attempt –Does not have permission to view nor edit the ‘Symptoms’, ‘Follow-Up’ and ‘Return’ screens -> Will block the content 20

21 Conclusion & Future Work Proposed a framework to achieve fine- grained access control in mobile applications Presented two approaches that could be part of the framework Mobile Application Management (MAM) –Application Wrapper Focus on the backend of the mobile application (API/server/DB) 21

22 Questions? Introduction Motivation Main Research Questions Big Picture Expected Research Contributions Background Proposed Framework Direct UI Modifications Intercepting API Calls Conclusion & Future Work 22

Download ppt "A Multi-Dimensional Configurable Access Control Framework for Mobile Applications By: Yaira K. Rivera Sánchez Major Advisor: Steven A. Demurjian."

Similar presentations

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Operating System Security

Operating System Security
CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.

CSE300-1 Profs. Steven A. Demurjian Q. Jin, J. Nam, Z. Qian and C. Phillips Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The.
NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.

NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.
© 2009 Oracle Corporation – Proprietary and Confidential 1.

© 2009 Oracle Corporation – Proprietary and Confidential 1.
Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,

Making Cellular Networks Scalable and Flexible Li Erran Li Bell Labs, Alcatel-Lucent Joint work with collaborators at university of Michigan, Princeton,
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
MIT iCampus iLabs Software Architecture Workshop June 13 - 15, 2006.

MIT iCampus iLabs Software Architecture Workshop June , 2006.
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
SiS Technical Training Development Track Technical Training(s) Day 1 – Day 2.

SiS Technical Training Development Track Technical Training(s) Day 1 – Day 2.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Connecticut Concussion Tracker (CT)2

Connecticut Concussion Tracker (CT)2
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Creation of hybrid portlet application for file download using IBM Worklight and IBM Rational Application Developer v9 Gaurav Bhattacharjee Lakshmi Priya.

Creation of hybrid portlet application for file download using IBM Worklight and IBM Rational Application Developer v9 Gaurav Bhattacharjee Lakshmi Priya.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.

London April 2005 London April 2005 Creating Eyeblaster Ads The Rich Media Platform The Rich Media Platform Eyeblaster.
Mobile Application Development using Android Lecture 2.

Mobile Application Development using Android Lecture 2.

Similar presentations

Ads by Google